Here I had already talked about DKIM in connection with the Sophos UTM written. Here is an article about Exchange and DKIM. Mails can receive a DKIM signature directly on the Exchange server, so an additional AntiSPAM solution that attaches the DKIM signature is not required. To attach DKIM signatures directly to the Exchange server, you can use the free tool "Exchange DKIM Signer" can be used.
To use Exchange DKIM Signer, the package linked above must be transferred to the Exchange server, after it has been unpacked, the application "Configuration.DkimSigner.exe" can be started:
After starting, a GUI for the configuration appears, the GUI creates an XML file for the configuration and installs the Exchange Transport Agent, alternatively this can also be done manually. The manual configuration is here described. However, the GUI is used in this article:
For the configuration, the domain that is to be provided with DKIM signatures must first be added on the "Domain Settings" tab:
In the "Domain details" fields, you must now enter the domain with which mails are to be sent; the selector is a selectable string to identify the DNS record. For example, "dkim1", "dkim2020" or something else can be used here. Common here is "p+YearInWhichTheKeyWasCreated", for example "p2020". For compatibility reasons, "1024" should be selected as the "Key length for generation". The reason for this is that with a 2048-bit key length, the required DNS entry will be longer than 255 characters. Many providers do not allow such long strings to be entered in the DNS (although technically possible). If the provider long DNS Records allows, "2048" can also be selected here:
After the key has been created and saved, the required DNS entry is displayed:
The DNS record displayed by Exchange DKIM Signer must now be created as a TXT record in the public DNS of the domain hoster:
The "Check" function in Exchange DKIM Signer can be used to check whether the DNS entry has been created correctly. If DNS Split Brain is used, the TXT record should also be created on the internal DNS servers:
If the test was successful, the entry for the domain can be saved. If additional domains are used to send emails, these domains must also be created as described above. In this case, you should create additional RSA keys and not use the existing one.
The configuration of Exchange DKIM Signer is now complete, so the required transport agent can now be installed. The Exchange Transport Agent can be installed on the "Information" tab using the "Install" button:
DKIM Signer now loads the required packages:
The transport agent is then installed automatically with the required configuration:
The installation of the transport agent can be viewed by clicking on "Configure". The agent can also be deactivated or uninstalled here if required:
It is very easy to test whether DKIM works as expected. Simply send an e-mail to the following address:
The e-mail is then automatically answered and contains the test results:
For DKIM to work correctly, the mail must not be modified after the DKIM signature has been applied. So if the mail is forwarded from the Exchange server to an AntiSpam gateway and only then sent to the recipient, this could lead to problems depending on the configuration. However, this is not usually the case with smarthosts or relays that simply forward the mails.