DomainKeys / DKIM Wizard

How to get here

The DomainKeys / DKIM Wizard was designed to allow and IMail Administrator to quickly setup the necessary items for DomainKeys / DKIM.

Step 1

DomainKeys or DKIM

DomainKeys and DKIM allow messages to be cryptographically signed, which allows receiving servers to verify the source and contents of messages. Both specifications are similar, however, DKIM handles e-mail routing better than DomainKeys and is considered to be the preferred method of signing messages.

• Choose the selector type:
  • DomainKeys. Uses Message Algorithm for Preparation Signing.
  • DKIM. Uses Header and Body Algorithm for Preparation Signing.
• Requires a selector Name to allow identification within the IMail Administration.
• Enter the DNS Text Record that will associate the selector in DNS. This text name allows any text string that is a legal DNS domain name.

  Example: DNS Text Record set to MyDNSName will be named "MyDNSName_domainkey.domainname.com"

• Description is optional and is limited to 1024 characters.

Step 2

Choosing your Algorithm:

The simple and relaxed header and body algorithms prepare the e-mail before signing occurs. This is known as canonicalization and does not affect the message that is actually sent in any way. These algorithms attempt to handle cases where normal transformations that occur to a message as it is sent will cause a signature to be verified incorrectly. The 'simple' Canonicalization algorithm tolerates almost no modification of the message, while the 'relaxed' canonicalization algorithm allows some typical transformations to occur without breaking the signature (such as modifying whitespace and folding whitespace in the message and its headers). The relaxed canonicalization algorithm is recommended unless it is critical that a message not be modified in any way during transit to a receiving mail server.

• Header Algorithm (DKIM only). DKIM uses both the Header and Body Algorithm as the specified canonicalization method.
  • Simple. This algorithm is designed to be the least tolerant. Each header is unfolded per RFC2822 and is converted to lowercase.
  • Relaxed. (Set by default) This algorithm tolerates common modifications such as white-space replacement and header line re-wrapping.
• Body Algorithm (DKIM only).
  • Simple. This algorithm is designed to be the least tolerant.
  • Relaxed. (Set by default) This algorithm tolerates common modifications such as white-space replacement and header line re-wrapping.
• Message Algorithm (DomainKeys only). DomainKeys uses the Message Algorithm as the specified canonicalization method.
  • Simple. Allows toleration of almost no modification.
  • No Folding Whitespace (nofws). (Set by Default) Allows common modifications such as white-space replacement and header line re-wrapping.

Step 3

Assigning Domains

Please choose which domains are allowed to use this selector for signing. Domains added to the list on the right are able to use this selector for its users.

• By default, when run at the domain level, only the selected domain be selected, otherwise it will be up to the IMail Administrator to select which domains will be assigned.
• This step gives you the capability to also add any existing domains to the selector. Any domains that are in the "Available Domains" box can be assigned the new selector being created.

  Note: The selector will not be enabled until the DNS Test is valid. Should the DNS Test fail, all domains set for this selector will be disabled. It will be up to the IMail Administrator to enable the selectors after the DNS has been corrected.

Step 4 (DKIM Selectors Only)

One or Multiple DNS Text Records

This step will only appear when creating a DKIM selector and multiple domains have been assigned to the selector. DKIM has the capability to have all domains point to one specified domain for the DNS record. This is the simplest and recommended way of setting up DKIM. If you wish, however, you can choose to enter a DNS record for every domain by selecting the second option in the drop down list.

• By default this feature is selected. Should you want to create a DNS record for each domain, select the second option "All domains use their own DNS records.

Note: DomainKeys is not as flexible as DKIM and requires a DNS text record for each domain, per the RFC.

Step 5

Private Key and DNS Text Record

• This page has generated a private key that must be inserted into the DNS text record that is identified under the text box.

  Example: DnsTextRecord_domainkey.domain.name.com

• Generate a matching DNS text record for each item listed on the wizard page.

If you do not have access to your DNS records, contact your DNS administrator to add these records. Please note, that it is recommended that you continue to the next screen and save this selector if the process of adding the DNS records will take more than a few minutes.

Tip: Remember to check for the "p=" in front of the key

Step 6

DNS Test and Selector Status

• At this point the DNS text record must exist to be tested for validity. If the DNS record has not yet been created, it is recommended to click "Done" to save the selector.

  Warning: Click "Done" now, as the IMail Server will eventually time out and your selector will be lost.

• Also, if the DNS text record has not been created, it is recommended to disable the selector.
• After the DNS text record has been created, it can be tested by editing the selector. The DNS Test button is located under the Domains list using the new selector.
• The DNS Test button will display "successful" for each domain. A link to assist with DNS problems will display for domains that "failed".
• See the following KB for DNS help - http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=72

Important: After creating a selector be sure to restart your SMTP and Queue Manager services.

Related Topics

About DomainKeys / DKIM

Domain Selector List (Signatures)

System Signing Options (Selectors)