Using DKIM to Authenticate Email Message

Domain Keys Identified Mail (DKIM) defines a domain-level authentication mechanism that lets your organization take responsibility for transmitting an email message in a way that can be verified by a recipient. Your organization can be the originating sending site or an intermediary. Your organization’s reputation is the basis for evaluating whether to trust the message delivery.

You can add a DKIM digital signature to outgoing email messages, associating the message with a domain name of your organization. You can enable DKIM signing for any number of domains that are being hosted by ZCS. It is not required for all domains to have DKIM signing enabled for the feature to work.

DKIM defines an authentication mechanism for email using

• A domain name identifier
• Public-key cryptography
• DNS-based public key publishing service.

The DKIM signature is added to the email message header field. The header information look like this example.

DKIM-Signature a=rsa-sha1; q=dns;

d=example.com;

i=user@eng.example.com;

s=jun2005.eng; c=relaxed/simple;

t=1117574938; x=1118006938;

h=from:to:subject:date;

b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb

av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Receivers who successfully validate a DKIM signature can use information about the signer as part of a program to limit spam, spoofing, phising, or other undesirable behavior.

Configure ZCS for DKIM Signing

DKIM signing to outgoing mail is done at the domain level. To set up DKIM you must run the CLI zmdkimkeyutil to generate the DKIM keys and selector. You then update the DNS server with the selector which is the public key.

1. Log in to the ZCS server and as zimbra, type

/opt/zimbra/libexec/zmdkimkeyutil -a -d <example.com>

The public DNS record data that must be added for the domain to your DNS server is displayed. The public key DNS record appears as a DNS TXT-record that must be added for the domain to your DNS server.

Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 1024 bits.

DKIM Data added to LDAP for domain example.com with selector B534F5FC-EAF5-11E1-A25D-54A9B1B23156

Public signature to enter into DNS:

B534F5FC-EAF5-11E1-A25D-54A9B1B23156._domainkey IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+ycHjGL/mJXEVlRZnxZL/VqaN/Jk9VllvIOTkKgwLSFtVsKC69kVaUDDjb3zkpJ6qpswjjOCO+0eGJZFA4aB4BQjFBHbl97vgNnpJq1sV3QzRfHrN8X/gdhvfKSIwSDFFl3DHewKDWNcCzBkNf5wHt5ujeavz2XogL8HfeL0bTwIDAQAB” ; —– DKIM B534F5FC-EAF5-11E1-A25D-54A9B1B23156 for example.com

The generated DKIM data is stored in the LDAP server as part of the domain LDAP entry.

2. Work with your service provider to update your DNS for the domain with the DKIM DNS text record.
3. Reload the DNS and verify that the DNS server is returning the DNS record.
4. To verify that the public key matches the private key, type

/opt/zimbra/opendkim/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf

• –d is the domain name
• -s is the selector name
• -x is the configuration file

Update DKIM Data for a Domain

When the DKIM keys are updated, the DNS server must be reloaded with the new TXT record.

Good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.

1.Log in to the ZCS server and as zimbra, type

/opt/zimbra/libexec/zmdkimkeyutil -u -d <example.com>

Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 1024 bits.

2. Work with your service provider to update your DNS for the domain with the DKIM DNS text record.

3. Reload the DNS and verify that the DNS server is returning the DNS record.

4. To verify that the public key matches the private key, type

/opt/zimbra/opendkim/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf

• -d is the domain name
• -s is the selector name
• -x is the configuration file

Remove DKIM Signing from ZCS

Removing DKIM signing deletes the DKIM data from LDAP. New email message no longer are signed for the domain. When you remove DKIM from the domain, good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.

1. To remove, type

/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

Retrieve DKIM Data for a Domain

1. To see the stored DKIM information for the domain, selector, private key, public signature and identity, type

/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com