Sophos UTM and DKIM

DKIM, also known as DomainKeys, is a procedure for determining the authenticity of emails. The basic functionality is explained quite simply:

The sending mail server calculates a hash value for each mail it sends and appends this hash to each mail in the e-mail header. The receiving mail server can evaluate the signature and also calculate the hash. If the hash specified in the mail header matches the calculated hash, this ensures that the mail originates from the sender's e-mail server and has not been modified.

The hash is encrypted by the sending mail server and decrypted by the receiving mail server so that the hash cannot simply be changed during the transmission of the mail. Encryption is based on asymmetric encryption and the required keys can be easily generated by the user. A certification authority as with SSL certificates is not required.

Create RSA key

To be able to use DKIM, a private key and a public key are required. The public key is published in the DNS as a TXT record, the private key is used to sign the mail. You can easily generate the corresponding keys yourself. With the OpenSSL program, the corresponding keys for DKIM can be generated quite easily under Windows (and Linux).

For Windows operating systems, OpenSSL is required first, which can be downloaded here:

• https://wiki.openssl.org/index.php/Binaries

OpenSSL can be installed on any computer. In the standard installation, it is installed under "C:\Program Files (x86)\OpenSSL":

After installation, a command prompt (cmd) can be started with administrator rights. The following command must then be used to change to the OpenSSL program directory:

cd "C:\Program Files (x86)\OpenSSL\bin"

The private key can now be created with the following command:

openssl.exe genrsa -out DKIM_Private_Key.key 2048

The public key is then generated with the following command:

openssl.exe rsa -in DKIM_Private_Key.key -out DKIM_Public_Key.public -pubout -outform PEM

There are now 2 files in the directory, the public key "DKIM_Public_Key.public" and the private key with the name "DKIM_Private_Key.key":

The public key must now be edited so that it can later be published in the DNS. The public key (DKIM_Public_Key.public) currently contains several lines:

The lines with "--BEGIN PUBLIC KEY--" and "--END PUBLIC KEY--" are removed:

The line breaks are then removed and the complete key is now in one line:

Note: Make absolutely sure that no characters of the key are removed, otherwise the key is invalid.

Create DNS entry

For DKIM to work, a corresponding DNS entry must be created. This is a TXT record, similar to the TXT record for SPF.

The TXT record for DKIM is set here using the host Strato as an example. The DNS settings can be found in the customer center under "Domain management":

New TXT records can be created for the respective domain here:

DKIM TXT records are structured according to the following scheme:

keyselector._domainkey.domain.tld

The "Keyselector" is a freely selectable name to identify the DKIM entry. Several DKIM entries can therefore exist. The key selector is specified in the header of a DKIM-signed mail so that a receiving mail server can compile and retrieve the corresponding DNS record from it.

The following options are specified for the value:

• v=DKIM1 (The DKIM version used)
• k=rsa (specification of the key type, in this case "rsa")
• p=Public key (the previously generated key is used here) Public Key specified.

At Strato it looks like this:

I have chosen "dkim1" as the selector, so I can simply increase the selectors if necessary.

Once the TXT entry has been set, the settings can also be checked directly:

• http://dkimcore.org/tools/keycheck.html

The key selector and the domain can be specified and checked on the website:

The website then returns the DNS entry and the result. Here you can see that the corresponding DNS entry has been put together from the selector and domain:

If the check was successful, the configuration of the Sophos UTM can begin.

Configuration Sophos UTM

The configuration of the UTM is done quickly. The DKIM settings can be found under "Email Protection" on the "Advanced" tab:

Under the item "DomainKeys Identified Mail (DKIM)", the private key (DKIM_Private_Key.key) is entered. The key can be accepted in full. It is not necessary to remove passages.

The previously assigned selector from the DNS entry is now entered in the "Key selector" field, in this case "dkim1". This is not the version ("v option in the DNS entry"), but the freely selectable name (selector).

The DKIM domains field is used to specify the domains for which the DKIM header is to be added. If there are several e-mail domains, several domains can also be specified here. If there are several domains, the DKIM DNS entry must also be created for the other domains:

Once the settings have been accepted, you can test them.

Test

You can easily test whether the DKIM configuration works by sending an e-mail to the following address:

The service checks the SPF and DKIM settings and informs you of the result.

In this case, the mail is sent via an Exchange server, Exchange must forward the outgoing mails to the Internet via the Sophos UTM, as the DKIM signature is only appended by the Sophos UTM.

Note: Exchange Server does not provide an on-board tool for adding the DKIM signature.

After a short time, an authentication report is sent back. The report then contains the results:

If "DKIM check pass" is displayed in the reply email, the DKIM settings are working.

The DKIM header of the original mail can also be found a little further down in the reply mail. Here you can see the signature that was attached by the UTM:

The reply email also contains a DKIM signature, which is visible in the header: