Configuring DomainKeys/DKIM signing options in SecurityGateway
This article explains how to configure SecurityGateway to sign messages using the DKIM and/or DomainKeys standard so that they can be verified as a valid message from the sending domain. For more information regarding DKIM, please visit http://www.dkim.org/info/dkim-faq.html.
From the Dashboard, after logging in:
- Click on Security on the lower-left side
- Locate the Anti-Spoofing section
- Click on DK/DKIM Signing
Note that you may change individual domains' signing settings from the drop-down menu in the upper-right corner of the window.
From here, you may configure the following options:
Sign outbound messages using DomainKeys Identified Mail (DKIM)
SecurityGateway will sign messages using the DKIM standard and the selector that is selected below before sending them out. By default, this option is disabled.
Sign outbound messages using DomainKeys
SecurityGateway will sign messages using the DomainKeys standard and the selector that is selected below before sending them out. By default, this option is disabled.
Sign messages using this selector
SecurityGateway can sign messages with more than one DomainKeys or DKIM key if you would like by creating multiple selectors. Click on the New button to bring up the New DKIM Selector window, and enter the name of the new selector, then click on Save and Close. You may remove the currently selected selector with the Delete button.
Note that any DomainKeys or DKIM selector that is created must be inputted into your DNS record in order for it to be verified properly by other servers. Click on the 'View DNS configuration (public key) for this selector' link to note what information to copy into your domain's record. More information on publishing your DK/DKIM public key in your DNS record can be found at http://domainkeys.sourceforge.net/dist.html.
The following options affect all domains in SecurityGateway:
Signatures expire after x days (x= tag, default 7 days)
SecurityGateway will set the x= tag in the signature it adds to outgoing messages to this value, and to indicate how long this particular key is valid for. Messages with an expired key will always fail on a verification check. By default, this is enabled, and set to 7.
Signatures include query method(s) (q= tag)
SecurityGateway will set the q= tag in the signature it adds to outgoing messages, usually 'q=dns/txt', to indicate the query-method that other servers should use to verify the public key for the domain. By default, this is enabled.
Signatures include body length count (l= tag)
SecurityGateway will set the l= tag in the signature it adds to outgoing messages, recording the length of the message-body to help prevent against message-tampering. By default, this is enabled.
Signatures include original header content (z= tag)
SecurityGateway will set the z= tag in the signature it adds to outgoing messages, recording the original headers listed in the message when it was signed to help prevent against header-tampering. By default, this is disabled.
Canonicalize headers/body using simple/relaxed
SecurityGateway will set the c= tag in the signature it adds to outgoing messages to the above value, by default 'c=simple/simple'. Simple canonicalization requires the header/body of the message to not have been changed in any way, including capitalization and spacing, and relaxed allows for minor changes, but is less secure than simple.
Note that any DomainKeys or DKIM public keys published in your domain will require a few days for the information to be propogated to other DNS servers.
Also, changing the public key associated with a selector can cause previously sent, but valid, messages to fail a check, since they will no longer match the current public key associated with the selector.
KBA-01905 Configuring DomainKeys/DKIM verification options in SecurityGateway