DKIM, also known as DomainKeys, is a procedure for determining the authenticity of emails. The basic functionality is explained quite simply:
The sending mail server calculates a hash value for each mail it sends and appends this hash to each mail in the e-mail header. The receiving mail server can evaluate the signature and also calculate the hash. If the hash specified in the mail header matches the calculated hash, this ensures that the mail originates from the sender's e-mail server and has not been modified.
The hash is encrypted by the sending mail server and decrypted by the receiving mail server so that the hash cannot simply be changed during the transmission of the mail. Encryption is based on asymmetric encryption and the required keys can be easily generated by the user. A certification authority as with SSL certificates is not required.
Create RSA key
To be able to use DKIM, a private key and a public key are required. The public key is published in the DNS as a TXT record, the private key is used to sign the mail. You can easily generate the corresponding keys yourself. With the OpenSSL program, the corresponding keys for DKIM can be generated quite easily under Windows (and Linux).
For Windows operating systems, OpenSSL is required first, which can be downloaded here:
OpenSSL can be installed on any computer. In the standard installation, it is installed under "C:\Program Files (x86)\OpenSSL":
After installation, a command prompt (cmd) can be started with administrator rights. The following command must then be used to change to the OpenSSL program directory:
cd "C:\Program Files (x86)\OpenSSL\bin"
The private key can now be created with the following command:
openssl.exe genrsa -out DKIM_Private_Key.key 2048
The public key is then generated with the following command:
openssl.exe rsa -in DKIM_Private_Key.key -out DKIM_Public_Key.public -pubout -outform PEM
There are now 2 files in the directory, the public key "DKIM_Public_Key.public" and the private key with the name "DKIM_Private_Key.key":
The public key must now be edited so that it can later be published in the DNS. The public key (DKIM_Public_Key.public) currently contains several lines:
Die Zeilen mit “—–BEGIN PUBLIC KEY—–“ und “—–END PUBLIC KEY—–“ werden entfernt:
The line breaks are then removed and the complete key is now in one line:
Note: Make absolutely sure that no characters of the key are removed, otherwise the key is invalid.
Create DNS entry
For DKIM to work, a corresponding DNS entry must be created. This is a TXT record, similar to the TXT record for SPF.
The TXT record for DKIM is set here using the host Strato as an example. The DNS settings can be found in the customer center under "Domain management":
New TXT records can be created for the respective domain here:
DKIM TXT records are structured according to the following scheme:
keyselector._domainkey.domain.tld
The "Keyselector" is a freely selectable name to identify the DKIM entry. Several DKIM entries can therefore exist. The key selector is specified in the header of a DKIM-signed mail so that a receiving mail server can compile and retrieve the corresponding DNS record from it.
The following options are specified for the value:
- v=DKIM1 (The DKIM version used)
- k=rsa (specification of the key type, in this case "rsa")
- p=Public key (the previously generated key is used here) Public Key specified.
At Strato it looks like this:
I have chosen "dkim1" as the selector, so I can simply increase the selectors if necessary.
Once the TXT entry has been set, the settings can also be checked directly:
The key selector and the domain can be specified and checked on the website:
The website then returns the DNS entry and the result. Here you can see that the corresponding DNS entry has been put together from the selector and domain:
If the check was successful, the configuration of the Sophos UTM can begin.
Configuration Sophos UTM
The configuration of the UTM is done quickly. The DKIM settings can be found under "Email Protection" on the "Advanced" tab:
Under the item "DomainKeys Identified Mail (DKIM)", the private key (DKIM_Private_Key.key) is entered. The key can be accepted in full. It is not necessary to remove passages.
Im Feld “Schlüsselselektor” wird nun der zuvor vergebene Selector aus dem DNS Eintrag eingetragen, in diesem Fall also “dkim1”. Es handelt sich hier nicht um die Version (v-Option im DNS-Eintrag“), sondern um den frei wählbaren Namen (Selector).
The DKIM domains field is used to specify the domains for which the DKIM header is to be added. If there are several e-mail domains, several domains can also be specified here. If there are several domains, the DKIM DNS entry must also be created for the other domains:
Once the settings have been accepted, you can test them.
Test
You can easily test whether the DKIM configuration works by sending an e-mail to the following address:
The service checks the SPF and DKIM settings and informs you of the result.
In this case, the mail is sent via an Exchange server, Exchange must forward the outgoing mails to the Internet via the Sophos UTM, as the DKIM signature is only appended by the Sophos UTM.
Note: Exchange Server does not provide an on-board tool for adding the DKIM signature.
After a short time, an authentication report is sent back. The report then contains the results:
If "DKIM check pass" is displayed in the reply email, the DKIM settings are working.
The DKIM header of the original mail can also be found a little further down in the reply mail. Here you can see the signature that was attached by the UTM:
The reply email also contains a DKIM signature, which is visible in the header:
