Configuring for DKIM Signing: Difference between revisions

No edit summary
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 8.0}}||}}=Zimbra Server with DKIM Signing=
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Zimbra Server with DKIM Signing=
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}}}


DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication
DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication


= Configuring ZCS for DKIM signing =
Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available.  Signing is done at the domain level, including alias domains.  Setting up signing consists of two steps:
 
Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available.  Signing is done at the domain level.  Setting up signing consists of two steps:


# Running '''zmdkimkeyutil''' to generate the DKIM keys and selector.  The generated data is stored in the LDAP server as part of the domain LDAP entry.
# Running '''zmdkimkeyutil''' to generate the DKIM keys and selector.  The generated data is stored in the LDAP server as part of the domain LDAP entry.
# Updating the DNS server with the public DNS entry
# Updating the DNS server with the public DNS entry
The zmdkimkeyutility should be run on an MTA server.


== The zmdkimkeyutil utility ==
== The zmdkimkeyutil utility ==
Line 18: Line 22:
# Query the DKIM data for a domain
# Query the DKIM data for a domain
# Remove the DKIM data for a domain
# Remove the DKIM data for a domain
The domain "example.com" will be used throughout this wiki.  Substitute it with your domain.


=== Adding DKIM data to a domain with no existing DKIM configuration ===
=== Adding DKIM data to a domain with no existing DKIM configuration ===
   /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
   /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
After the data is generated, the public DNS record data that must be added for the domain to your DNS server will be displayed:
  zimbra@example.com:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
  DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
  Public key to enter into DNS:
  0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa;
  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
  /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com
=== Updating DKIM data for a domain ===
  /opt/zimbra/libexec/zmdkimkeyutil -u -d example.com
When the DKIM keys are updated, the DNS server will need to be reloaded with the new TXT record.  It is advised to leave the previous TXT record in DNS for a period of time to allow verification of emails that were signed with the previous key to continue to succeed.
=== Removing DKIM data for a domain ===
  /opt/zimbra/libexec/zmdkimkeyutil -r -d example.com
This command deletes the DKIM data from LDAP.  New emails will no longer be signed for the domain.  The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.
=== Retrieving the stored DKIM data for a domain ===
  /opt/zimbra/libexec/zmdkimkeyutil -q -d example.com
This command will output all the stored DKIM information, specifically
  DKIM Domain
  DKIM Selector
  DKIM Private Key
  DKIM Public Signature
  DKIM Identity
== Updating DNS ==
# The public key DNS record should appear as a TXT resource record at:
SELECTOR._domainkey.DOMAIN
The Selector is the first portion of the output from '''zmdkimkeyutil''' In the above example, it is 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
# Once you have added the record to your nameserver, reload DNS.
# Verify that the DNS server is returning the DNS record.
  dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER
  Example:
  dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
# If the key is retrieved correctly, then use '''/opt/zimbra/opendkim/sbin/opendkim-testkey''' to verify that the public key matches the private key.
  '''/opt/zimbra/opendkim/sbin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB -x /opt/zimbra/conf/opendkim.conf'''
If you get this error:
opendkim-testkey: /opt/zimbra/conf/opendkim.conf: configuration error at line 0
You have /opt/zimbra/conf/opendkim.conf missing.
To get it, enable opendkim service issuimg:
zmprov ms `zmhostname` +zimbraServiceEnabled opendkim
./libexec/configrewrite opendkim
=== Revoking a DKIM key in DNS ===
If it becomes necessary to revoke a DKIM signing key, this can be easily done in DNS by using an empty "p=" tag in the TXT record.
==2048-bit signatures starting ZCS 8.7.x==
Starting ZCS 8.7.x Zimbra generates a 2048-bit key, after run the next command (remember the -a for the first time, and -u it's just for update the DKIM entry):
/opt/zimbra/libexec/zmdkimkeyutil -a -d yourdomain.com
You will observe something like the next (with your own information):
<pre>DKIM Data added to LDAP for domain zimbra.io with selector 25D766CE-CEAC-11E7-B087-020B6DB9DD9A
Public signature to enter into DNS:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT    ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4vVMiV3/14hRMzbKNnBKNThqxTWLi2E5NqqHLccIJg/P33yqwgGVKKUM9HFfXZ8urz6/dl8oNG3oxs73W1sgWHrFRo3ZayHsuUMe+DLyt8wtyR/RUae0nvd6Z6t0lPwujXWBrRS/FeMg/IGA8ExBKjD+aAYdQfH/lhlDGzumTXgbSB0KMzlpOjcum2Aes69rEiR744GGaPb2"
          "X3MxK8vjpeMIx16n2tADb0wKKP19WTF0at5HCP8F4SFflLUPJMOC1Be9FCWjTjNr1qrRZTwCwC7OC9tnV7SsKKXG+8D6hu39Tm5U1GLzpKvLMIv14b6MWsU9cV/iVKH+hQq4YRowIDAQAB" )  ; ----- DKIM key 25D766CE-CEAC-11E7-B087-020B6DB9DD9A for zimbra.io</pre>
By default, DNS Servers only accepts 255 characters on every TXT entry, so depending on the DNS Server you are using you will need to do one of the next:
* On cPanel UI it's as easy at creating one new TXT entry with the selector, and on the value all together like "v=DKIM1; k=rsa; p=ALL-THE-CODE-"
[[File:Dkim-2048.png]]
* If using old version of Bind, or other DNS Server based in CLI, you can try by adding the DNS entry on the next format:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..."
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    "...AQAB")
* Another way some DNS Servers might work are the next one:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT    ("v=DKIM1;k=rsa; p="
"MIIBIjANBgkqhkiG9w..."
"...AQAB")   
===How to check that you have a valid DKIM signature===
You can check if you have a valid DKIM by using for example the next URL - http://dkimcore.org/tools/keycheck.html :
Introduce your selector and your domain and click on check
[[File:Dkim-2048-001.png]]
After a few seconds you will see the result:
[[File:Dkim-2048-002.png]]
{{Article Footer|ZCS 8.x |05/03/2012}}
[[Category:Administration]]
[[Category:Command Line Interface]]
[[Category:DNS]]
[[Category:Certified]]

Revision as of 22:31, 5 December 2017

Zimbra Server with DKIM Signing

   KB 16319        Last updated on 2017-12-5  




0.00
(0 votes)

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication

Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available. Signing is done at the domain level, including alias domains. Setting up signing consists of two steps:

  1. Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
  2. Updating the DNS server with the public DNS entry

The zmdkimkeyutility should be run on an MTA server.

The zmdkimkeyutil utility

The zmdkimkeyutil script allows you to do the following:

  1. Add DKIM data to a domain that does not currently have DKIM enabled
  2. Update DKIM data for a domain that already has DKIM enabled
  3. Query the DKIM data for a domain
  4. Remove the DKIM data for a domain

The domain "example.com" will be used throughout this wiki. Substitute it with your domain.

Adding DKIM data to a domain with no existing DKIM configuration

 /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

After the data is generated, the public DNS record data that must be added for the domain to your DNS server will be displayed:

 zimbra@example.com:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
 DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
 Public key to enter into DNS:
 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa;
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
 /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com

Updating DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -u -d example.com

When the DKIM keys are updated, the DNS server will need to be reloaded with the new TXT record. It is advised to leave the previous TXT record in DNS for a period of time to allow verification of emails that were signed with the previous key to continue to succeed.

Removing DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

This command deletes the DKIM data from LDAP. New emails will no longer be signed for the domain. The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.

Retrieving the stored DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

This command will output all the stored DKIM information, specifically

 DKIM Domain
 DKIM Selector
 DKIM Private Key
 DKIM Public Signature
 DKIM Identity

Updating DNS

  1. The public key DNS record should appear as a TXT resource record at:
SELECTOR._domainkey.DOMAIN
The Selector is the first portion of the output from zmdkimkeyutil In the above example, it is 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
  1. Once you have added the record to your nameserver, reload DNS.
  2. Verify that the DNS server is returning the DNS record.
 dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER
 Example:
 dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
  1. If the key is retrieved correctly, then use /opt/zimbra/opendkim/sbin/opendkim-testkey to verify that the public key matches the private key.
 /opt/zimbra/opendkim/sbin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB -x /opt/zimbra/conf/opendkim.conf

If you get this error:

opendkim-testkey: /opt/zimbra/conf/opendkim.conf: configuration error at line 0

You have /opt/zimbra/conf/opendkim.conf missing.

To get it, enable opendkim service issuimg:

zmprov ms `zmhostname` +zimbraServiceEnabled opendkim
./libexec/configrewrite opendkim

Revoking a DKIM key in DNS

If it becomes necessary to revoke a DKIM signing key, this can be easily done in DNS by using an empty "p=" tag in the TXT record.

2048-bit signatures starting ZCS 8.7.x

Starting ZCS 8.7.x Zimbra generates a 2048-bit key, after run the next command (remember the -a for the first time, and -u it's just for update the DKIM entry):

/opt/zimbra/libexec/zmdkimkeyutil -a -d yourdomain.com

You will observe something like the next (with your own information):

DKIM Data added to LDAP for domain zimbra.io with selector 25D766CE-CEAC-11E7-B087-020B6DB9DD9A
Public signature to enter into DNS:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4vVMiV3/14hRMzbKNnBKNThqxTWLi2E5NqqHLccIJg/P33yqwgGVKKUM9HFfXZ8urz6/dl8oNG3oxs73W1sgWHrFRo3ZayHsuUMe+DLyt8wtyR/RUae0nvd6Z6t0lPwujXWBrRS/FeMg/IGA8ExBKjD+aAYdQfH/lhlDGzumTXgbSB0KMzlpOjcum2Aes69rEiR744GGaPb2"
          "X3MxK8vjpeMIx16n2tADb0wKKP19WTF0at5HCP8F4SFflLUPJMOC1Be9FCWjTjNr1qrRZTwCwC7OC9tnV7SsKKXG+8D6hu39Tm5U1GLzpKvLMIv14b6MWsU9cV/iVKH+hQq4YRowIDAQAB" )  ; ----- DKIM key 25D766CE-CEAC-11E7-B087-020B6DB9DD9A for zimbra.io

By default, DNS Servers only accepts 255 characters on every TXT entry, so depending on the DNS Server you are using you will need to do one of the next:

  • On cPanel UI it's as easy at creating one new TXT entry with the selector, and on the value all together like "v=DKIM1; k=rsa; p=ALL-THE-CODE-"

Dkim-2048.png

  • If using old version of Bind, or other DNS Server based in CLI, you can try by adding the DNS entry on the next format:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..."
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    "...AQAB")
  • Another way some DNS Servers might work are the next one:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT     ("v=DKIM1;k=rsa; p="
"MIIBIjANBgkqhkiG9w..."
"...AQAB")    

How to check that you have a valid DKIM signature

You can check if you have a valid DKIM by using for example the next URL - http://dkimcore.org/tools/keycheck.html : Introduce your selector and your domain and click on check

Dkim-2048-001.png

After a few seconds you will see the result:

Dkim-2048-002.png


Verified Against: ZCS 8.x Date Created: 05/03/2012
Article ID: https://wiki.zimbra.com/index.php?title=Configuring_for_DKIM_Signing Date Modified: 2017-12-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search