Enabling DKIM signing for a domain

You can enable DKIM signing for all outbound messages from a specific domain, using an existing domain key.
Although the DKIM standard allows multiple signatures, Symantec Messaging Gateway can add only one DKIM signature to an outbound message.
  1. To enable DKIM signing for a domain
  2. In the Control Center, on the
    Administration > Settings > Certificates > Domain Keys
    tab, make sure that you added or imported a domain key for DKIM signing.
  3. Click
    Protocols > SMTP > Domains
    .
  4. Click the underlined name of the domain to which you want to add DKIM signing.
  5. On the
    Edit Domain
    page, click the
    Delivery
    tab.
  6. In the
    DomainKeys Identified Mail
    panel, click
    Enable DKIM signing for messages from this domain
    .
  7. In the
    Base domain
    field, enter the domain name to be used as part of the DKIM signature, in the form:
    example.com
    If you also enable DMARC for outbound mail, the base domain that you enter here impacts the DKIM alignment that you specify in your DMARC record. For instructions on how to create a DMARC record, visit .
  8. In the
    Selector
    box, type a selector string that receiving MTAs can use to perform DNS lookup to retrieve your public key.
    The selector identifies the key that SMG uses to sign the messages that are sent from this domain. Enter a string of up to 63 lower case alphanumeric characters (a-z or 0-9).
    For more information on the use of selectors, see RFC 4871, Section 3.1.
  9. From the
    Signing key
    drop-down list, choose the domain key that you want to use to sign messages from this domain.
  10. In the
    Signature expiration
    box, type an integer between 1 and 9999, inclusive, and then click either
    Hours
    or
    Days
    .
    The default value is 30 days.
  11. If you want to customize DKIM signing further, click
    Show Advanced
    and complete the following optional fields:
    Identity
    An email address, with or without the portion before the @, that includes either the base domain or a subdomain of the base domain. For example, if your base domain is example.com, acceptable identity strings include:
    • @example.com
    • user@example.com
    • @new.example.com
    • user@old.example.com
    Override default signed headers
    Check this box to replace the default signed headers with headers of your own design. Then type one or more headers, separated by colons.
    You can append any header with one of the following characters:
    • ? - Sign a single copy of the header. Do not assert a non-existent header if the header does not exist.
    • * - Sign all existing copies of the header. Assert a non-existent header if the header does not exist.
    • + - Sign all existing copies of the header. Do not assert a non-existent header if the header does not exist.
    • [No character] - Sign a single copy of the header. Assert a non-existent header if the header does not exist.
    Example:
    Received+:X-Example*:From:Subject?:Received
    Whether or not you override the default signed headers, Symantec Messaging Gateway includes the From: header.
    Headers
    You can choose the method that is used to prepare the signature for the message headers.
    • apply "relaxed" algorithm
      creates a signature based on a representation of the headers that includes minor changes, such as changes to white spaces. If minor alterations of the headers occur during transit, relaxed canonicalization in many cases still results in a matching signature.
    • apply "simple" algorithm
      bases the signature on the exact content of the headers, including such details as spacing.
    The default for message headers is
    apply "relaxed" algorithm
    .
    Body
    You can choose the method that SMG uses to prepare the signature for the message body.
    • apply "relaxed" algorithm
      creates a signature based on a representation of the message body that includes minor changes, such as changes to white spaces. If minor alterations of the message body occur during transit, relaxed canonicalization in many cases still results in a matching signature.
    • apply "simple" algorithm
      bases the signature on the exact content of the message body, including such details as spacing.
    The default for the message body is
    apply "simple" algorithm
    .
    For more information on canonicalization, see RFC 4871, Section 3.4.
  12. Click
    Generate
    to create a DKIM DNS text record. This text record uses the base domain, selector, and signing key details that you specified in the previous steps.
  13. Click
    Save
    .
  14. Manually add the public key to your DNS records.
    Receiving MTAs access your DNS entry to retrieve your public key when the MTAs perform DKIM validation.
    You can use the Linux facility
    dig
    to confirm that you configured your DNS correctly.