Configuring for DKIM Signing
- 1 Zimbra Server with DKIM Signing
- 1.1 The zmdkimkeyutil utility
- 1.2 Updating DNS
- 1.3 2048-bit signatures starting ZCS 8.7.x
- 1.4 DKIM and outbound email
Zimbra Server with DKIM Signing
DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication
Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available. Signing is done at the domain level, including alias domains. Setting up signing consists of two steps:
- Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
- Updating the DNS server with the public DNS entry
The zmdkimkeyutility should be run on an MTA server.
The zmdkimkeyutil utility
The zmdkimkeyutil script allows you to do the following:
- Add DKIM data to a domain that does not currently have DKIM enabled
- Update DKIM data for a domain that already has DKIM enabled
- Query the DKIM data for a domain
- Remove the DKIM data for a domain
The domain "example.com" will be used throughout this wiki. Substitute it with your domain.
Adding DKIM data to a domain with no existing DKIM configuration
/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
After the data is generated, the public DNS record data that must be added for the domain to your DNS server will be displayed:
firstname.lastname@example.org:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB Public key to enter into DNS: 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com
Updating DKIM data for a domain
/opt/zimbra/libexec/zmdkimkeyutil -u -d example.com
When the DKIM keys are updated, the DNS server will need to be reloaded with the new TXT record. It is advised to leave the previous TXT record in DNS for a period of time to allow verification of emails that were signed with the previous key to continue to succeed.
Removing DKIM data for a domain
/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com
This command deletes the DKIM data from LDAP. New emails will no longer be signed for the domain. The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.
Retrieving the stored DKIM data for a domain
/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com
This command will output all the stored DKIM information, specifically
DKIM Domain DKIM Selector DKIM Private Key DKIM Public Signature DKIM Identity
- The public key DNS record should appear as a TXT resource record at:
SELECTOR._domainkey.DOMAIN The Selector is the first portion of the output from zmdkimkeyutil In the above example, it is 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
- Once you have added the record to your nameserver, reload DNS.
- Verify that the DNS server is returning the DNS record.
dig -t txt SELECTOR._domainkey.DOMAIN NAMESERVER Example: dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
- If the key is retrieved correctly, then use opendkim-testkey script, you can find it for 8.6 and below here /opt/zimbra/opendkim/sbin/opendkim-testkey and starting ZCS 8.7 and above here /opt/zimbra/common/sbin/opendkim-testkey to verify that the public key matches the private key.
/opt/zimbra/common/sbin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB -x /opt/zimbra/conf/opendkim.conf
If you get this error:
opendkim-testkey: /opt/zimbra/conf/opendkim.conf: configuration error at line 0
You have /opt/zimbra/conf/opendkim.conf missing.
To get it, enable opendkim service issuimg:
zmprov ms `zmhostname` +zimbraServiceEnabled opendkim ./libexec/configrewrite opendkim
Revoking a DKIM key in DNS
If it becomes necessary to revoke a DKIM signing key, this can be easily done in DNS by using an empty "p=" tag in the TXT record.
2048-bit signatures starting ZCS 8.7.x
Starting ZCS 8.7.x Zimbra generates a 2048-bit key, after run the next command (remember the -a for the first time, and -u it's just for update the DKIM entry):
/opt/zimbra/libexec/zmdkimkeyutil -a -d yourdomain.com
You will observe something like the next (with your own information):
DKIM Data added to LDAP for domain zimbra.io with selector 25D766CE-CEAC-11E7-B087-020B6DB9DD9A Public signature to enter into DNS: 25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4vVMiV3/14hRMzbKNnBKNThqxTWLi2E5NqqHLccIJg/P33yqwgGVKKUM9HFfXZ8urz6/dl8oNG3oxs73W1sgWHrFRo3ZayHsuUMe+DLyt8wtyR/RUae0nvd6Z6t0lPwujXWBrRS/FeMg/IGA8ExBKjD+aAYdQfH/lhlDGzumTXgbSB0KMzlpOjcum2Aes69rEiR744GGaPb2" "X3MxK8vjpeMIx16n2tADb0wKKP19WTF0at5HCP8F4SFflLUPJMOC1Be9FCWjTjNr1qrRZTwCwC7OC9tnV7SsKKXG+8D6hu39Tm5U1GLzpKvLMIv14b6MWsU9cV/iVKH+hQq4YRowIDAQAB" ) ; ----- DKIM key 25D766CE-CEAC-11E7-B087-020B6DB9DD9A for zimbra.io
By default, DNS Servers only accepts 255 characters on every TXT entry, so depending on the DNS Server you are using you will need to do one of the next:
- On cPanel UI it's as easy at creating one new TXT entry with the selector, and on the value all together like "v=DKIM1; k=rsa; p=ALL-THE-CODE-"
- If using old version of Bind, or other DNS Server based in CLI, you can try by adding the DNS entry on the next format:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN TXT ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..." 25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN TXT "...AQAB")
- Another way some DNS Servers might work are the next one:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN TXT ("v=DKIM1;k=rsa; p=" "MIIBIjANBgkqhkiG9w..." "...AQAB")
How to check that you have a valid DKIM signature
You can check if you have a valid DKIM by using for example the next URL - http://dkimcore.org/tools/keycheck.html : Introduce your selector and your domain and click on check
After a few seconds you will see the result:
DKIM and outbound email
By default with DKIM enabled outbound email submitted via logged in users will be converted from 8 bit to 7 bit with Content Transfer Encoding quoted-printable. This is done to prevent a bad DKIM signature along the path should another server be unable to handle Content-Transfer-Encoding of 8bit. If a message is signed as DKIM and sent 8 bit and then converted to 7 bit, DKIM will fail. By preforming this conversion for your users, Zimbra ensures a valid DKIM signature.
This has the disadvantage of munging the content of users message body. Mailing lists and PGP/GPG users will find quoted-printable encoding to break the expected behaviors of email. This page on amavisd has a detailed explication of the problem.
Should you wish to have the message body preserved as 8 bit at the risk of a bad DKIM signature the following should be changed in /opt/zimbra/conf/amavisd.conf.in:
in the ORIGINATING and ORIGINATING_POST policies change: %%uncomment SERVICE:opendkim%% smtpd_discard_ehlo_keywords => ['8BITMIME'], to: %%uncomment SERVICE:opendkim%% smtpd_discard_ehlo_keywords => , This is in two places in the /opt/zimbra/conf/amavisd.conf.in file.
do a 'zmamavisdctl restart' and verify the service is sending 8BITMIME in the ehlo response
$ telnet 127.0.0.1 10026 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready ehlo zimbra.co 250-[127.0.0.1] 250-VRFY 250-PIPELINING 250-SIZE 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SMTPUTF8 250-DSN 250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE