Mail Assure Help

DKIM Certificate Generation

Why should I use DKIM?

There are several advantages to using DKIM to sign your outgoing emails:

  • The recipient is able to verify that the message originated from the specified sender.
  • The recipient is able to verify that the message content (and important headers e.g. the subject) has not been altered.
  • It lowers the chance of the email being identified as spam, although this is not the primary reason to sign.

If a spammer is trying to abuse your domain or email address, using DKIM reduces the chances of spam getting through. Many email servers check for a valid DKIM signature on incoming email.

How does it work?

DKIM adds a special DKIM Signature to the email headers. This signature contains a hashed value of the content (both important headers and the body). When a server that is checking for DKIM receives an email, it does the following:

  1. Retrieves the public key from the DNS of the sending domain.
  2. Uses the key to decrypt the signature.
  3. Verifies the content.

The exact actions a mail server takes when it discovers an invalid signature depend on the configuration of that server.

What do you sign by default?

Besides the body, the following headers are by default included in the signing:

  • from
  • date
  • subject
  • reply-to
  • sender
  • to
  • cc
  • bcc
  • message-id
  • in-reply-to
  • references
  • content-type
  • mime-version
  • content-transfer-encoding

Generate a DKIM certificate in the Mail Assure Control Panel

  1. In the Domain Level Control Panel, select Outgoing > DKIM .
  2. Choose the DKIM key length (we advise 2048, if your DNS can accept that).

  3. Enter the DKIM selector and click on Generate and save new private/public pair.

Once the key has been generated, you will need to add it to the DNS on the sub domain:

----------------------------------------------------------

For example with:

test._domainkey.example.com

Save this in your DNS as a TXT record and then, in the Outgoing User Settings page for your outgoing user ( see Manage Outgoing Users), you need to enter 'test' in the DKIM Selector field.

Any domain that sends using outgoing authentication that has this selector, should sign with this (assuming they do not have their own DKIM).

----------------------------------------------------------

Further reading

The following sites provide more information on DKIM:

RFC4870

RFC4871

RFC5322

Wikipedia