Configuring for DKIM Signing: Difference between revisions

No edit summary
No edit summary
Line 52: Line 52:
# Verify that the DNS server is returning the DNS record.
# Verify that the DNS server is returning the DNS record.
   dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER
   dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER
  Example:
  dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
# If the key is retrieved correctly, then use '''/opt/zimbra/opendkim/bin/opendkim-testkey''' to verify that the public key matches the private key.
# If the key is retrieved correctly, then use '''/opt/zimbra/opendkim/bin/opendkim-testkey''' to verify that the public key matches the private key.
   '''/opt/zimbra/opendkim/bin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB -k rsa.private
   '''/opt/zimbra/opendkim/bin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB'''


     BIND servers have a 256 byte limit on serving TXT records, so a 1024 bit  
     BIND servers have a 256 byte limit on serving TXT records, so a 1024 bit  
     RSA key is recommended if using BIND as your primary DNS server. See  
     RSA key is recommended if using BIND as your primary DNS server. See  
     section on LARGE KEYS.
     section on LARGE KEYS.

Revision as of 23:53, 3 May 2012

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0

Zimbra Server with DKIM Signing

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication

Configuring ZCS for DKIM signing

Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available. Signing is done at the domain level. Setting up signing consists of two steps:

  1. Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
  2. Updating the DNS server with the public DNS entry

The zmdkimkeyutil utility

The zmdkimkeyutil script allows you to do the following:

  1. Add DKIM data to a domain that does not currently have DKIM enabled
  2. Update DKIM data for a domain that already has DKIM enabled
  3. Query the DKIM data for a domain
  4. Remove the DKIM data for a domain

The domain "example.com" will be used throughout this wiki. Substitute it with your domain.

Adding DKIM data to a domain with no existing DKIM configuration

 /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

After the data is generated, the public DNS record data that must be added for the domain to your DNS server will be output:

 zimbra@example.com:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
 DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
 Public key to enter into DNS:
 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa;
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
 /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com

Updating DIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -u -d example.com

Removing DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

Retrieving the stored DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -q -d example.com


Updating DNS

  1. The public key DNS record should appear as a TXT resource record at:
SELECTOR._domainkey.DOMAIN
The Selector is the first portion of the output from zmdkimkeyutil In the above example, it is 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
  1. Once you have added the record to your nameserver, reload DNS.
  2. Verify that the DNS server is returning the DNS record.
 dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER
 Example:
 dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
  1. If the key is retrieved correctly, then use /opt/zimbra/opendkim/bin/opendkim-testkey to verify that the public key matches the private key.
 /opt/zimbra/opendkim/bin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
   BIND servers have a 256 byte limit on serving TXT records, so a 1024 bit 
   RSA key is recommended if using BIND as your primary DNS server. See 
   section on LARGE KEYS.
Jump to: navigation, search