Enabling DKIM signing for a domain
You can enable DKIM signing for all outbound messages from a specific domain, using an existing domain key.
Although the DKIM standard allows multiple signatures, Symantec Messaging Gateway can add only one DKIM signature to an outbound message.
- To enable DKIM signing for a domain
- In the Control Center, on theAdministration > Settings > Certificates > Domain Keystab, make sure that you added or imported a domain key for DKIM signing.
- ClickProtocols > SMTP > Domains.
- Click the underlined name of the domain to which you want to add DKIM signing.
- On theEdit Domainpage, click theDeliverytab.
- In theDomainKeys Identified Mailpanel, clickEnable DKIM signing for messages from this domain.
- In theBase domainfield, enter the domain name to be used as part of the DKIM signature, in the form:example.com
- In theSelectorbox, type a selector string that receiving MTAs can use to perform DNS lookup to retrieve your public key.The selector identifies the key that SMG uses to sign the messages that are sent from this domain. Enter a string of up to 63 lower case alphanumeric characters (a-z or 0-9).For more information on the use of selectors, see RFC 4871, Section 3.1.
- From theSigning keydrop-down list, choose the domain key that you want to use to sign messages from this domain.
- In theSignature expirationbox, type an integer between 1 and 9999, inclusive, and then click eitherHoursorDays.The default value is 30 days.
- If you want to customize DKIM signing further, clickShow Advancedand complete the following optional fields:IdentityAn email address, with or without the portion before the @, that includes either the base domain or a subdomain of the base domain. For example, if your base domain is example.com, acceptable identity strings include:
Override default signed headersCheck this box to replace the default signed headers with headers of your own design. Then type one or more headers, separated by colons.You can append any header with one of the following characters:
Example:Received+:X-Example*:From:Subject?:ReceivedWhether or not you override the default signed headers, Symantec Messaging Gateway includes the From: header.HeadersYou can choose the method that is used to prepare the signature for the message headers.
- ? - Sign a single copy of the header. Do not assert a non-existent header if the header does not exist.
- * - Sign all existing copies of the header. Assert a non-existent header if the header does not exist.
- + - Sign all existing copies of the header. Do not assert a non-existent header if the header does not exist.
- [No character] - Sign a single copy of the header. Assert a non-existent header if the header does not exist.
The default for message headers isapply "relaxed" algorithm.BodyYou can choose the method that SMG uses to prepare the signature for the message body.
- apply "relaxed" algorithmcreates a signature based on a representation of the headers that includes minor changes, such as changes to white spaces. If minor alterations of the headers occur during transit, relaxed canonicalization in many cases still results in a matching signature.
- apply "simple" algorithmbases the signature on the exact content of the headers, including such details as spacing.
The default for the message body isapply "simple" algorithm.For more information on canonicalization, see RFC 4871, Section 3.4.
- apply "relaxed" algorithmcreates a signature based on a representation of the message body that includes minor changes, such as changes to white spaces. If minor alterations of the message body occur during transit, relaxed canonicalization in many cases still results in a matching signature.
- apply "simple" algorithmbases the signature on the exact content of the message body, including such details as spacing.
- ClickGenerateto create a DKIM DNS text record. This text record uses the base domain, selector, and signing key details that you specified in the previous steps.
- Manually add the public key to your DNS records.Receiving MTAs access your DNS entry to retrieve your public key when the MTAs perform DKIM validation.You can use the Linux facilitydigto confirm that you configured your DNS correctly.