- The system administrator creates a private/public key pair for the server and publishes the public key in the domain’s domain name server.
- Using the private key, the sending server creates a signature for each outgoing message. The resulting signature data is stored in a “DKIM-Signature” header within the message.
- The receiving server obtains the signature from the “DKIM-Signature” header and verifies it using the signer’s public key.
- Open the Security menu from the MDaemon interface
- Select SPF & SenderID / DomainKeys & DKIM / HashCash…
- Select the DK & DKIM (signing) tab
- Enable Sign outgoing messages with DomainKeys Identified Mail (DKIM)
- Click the Create new public and private keys to have MDaemon generate the public key your DNS server needs for DKIM checks and the private one that MDaemon uses. (If you have done this already for DomainKeys you will want to skip this step)
- A confirmation window will appear, click yes to continue.
- After MDaemon creates the key pair, the readme will display on screen showing the public keys that need to be entered into your DNS server. It is also saved to \MDaemon\Pem\MDaemon\dns_readme.txt
- Enter this public key from the readme into your DNS server as a TXT record. The instructions on how to edit your DNS records will vary based on what DNS software you are using. Do NOT use the DKIM ssp record for DNS section of the file. Use the example information below as a template for creating your DNS entries. The DKIM standard has changed, and MDaemon 9.x and below generates outdated examples using SSP (Sender Signing Practices) rather than ADSP (Author Domain Signing Practices).
dkim=unknown – The domain might sign some or all email
dkim=all – All mail from the domain is signed
dkim=discardable – All mail from the domain is signed and receivers are
encouraged to discard unsigned mail
Example DNS data for policy using DKIM:
- If all outbound mail for domain.com is signed:
_adsp._domainkey.domain.com. IN TXT 'dkim=all'
- If all outbound mail for domain.com is signed and unsigned mail should be discarded:
_adsp._domainkey.domain.com. IN TXT 'dkim=discardable'
- If some outbound mail for domain.com might not be signed:
_adsp._domainkey.domain.com. IN TXT 'dkim=unknown'