Configuring for DKIM Signing

Zimbra Server with DKIM Signing

   KB 16319        Last updated on 2022-02-21  




0.00
(0 votes)

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication

Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available. Signing is done at the domain level, including alias domains. Setting up signing consists of two steps:

  1. Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
  2. Updating the DNS server with the public DNS entry

The zmdkimkeyutility should be run on an MTA server.

The zmdkimkeyutil utility

The zmdkimkeyutil script allows you to do the following:

  1. Add DKIM data to a domain that does not currently have DKIM enabled
  2. Update DKIM data for a domain that already has DKIM enabled
  3. Query the DKIM data for a domain
  4. Remove the DKIM data for a domain

The domain "example.com" will be used throughout this wiki. Substitute it with your domain.

Adding DKIM data to a domain with no existing DKIM configuration

 /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

After the data is generated, the public DNS record data that must be added for the domain to your DNS server will be displayed:

 zimbra@example.com:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
 DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
 Public key to enter into DNS:
 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa;
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
 /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com

Updating DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -u -d example.com

When the DKIM keys are updated, the DNS server will need to be reloaded with the new TXT record. It is advised to leave the previous TXT record in DNS for a period of time to allow verification of emails that were signed with the previous key to continue to succeed.

Removing DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

This command deletes the DKIM data from LDAP. New emails will no longer be signed for the domain. The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.

Retrieving the stored DKIM data for a domain

 /opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

This command will output all the stored DKIM information, specifically

 DKIM Domain
 DKIM Selector
 DKIM Private Key
 DKIM Public Signature
 DKIM Identity

Updating DNS

  1. The public key DNS record should appear as a TXT resource record at:
SELECTOR._domainkey.DOMAIN
The Selector is the first portion of the output from zmdkimkeyutil In the above example, it is 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
  1. Once you have added the record to your nameserver, reload DNS.
  2. Verify that the DNS server is returning the DNS record.
 dig txt SELECTOR._domainkey.DOMAIN @NAMESERVER
 Example:
 dig txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com @ns.example.com
  1. If the key is retrieved correctly, then use opendkim-testkey script, you can find it for 8.6 and below here /opt/zimbra/opendkim/sbin/opendkim-testkey and starting ZCS 8.7 and above here /opt/zimbra/common/sbin/opendkim-testkey to verify that the public key matches the private key.
 /opt/zimbra/common/sbin/opendkim-testkey -d example.com -s 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB -x /opt/zimbra/conf/opendkim.conf

If you get this error:

opendkim-testkey: /opt/zimbra/conf/opendkim.conf: configuration error at line 0

You have /opt/zimbra/conf/opendkim.conf missing.

To get it, enable opendkim service issuimg:

zmprov ms `zmhostname` +zimbraServiceEnabled opendkim
./libexec/configrewrite opendkim
    1. Example for Bind
 D4772146-9320-11EC-8658-9E8B906C0A18._domainkey.zimbra.tech.	IN	TXT	( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxD5hbmaSy+gicvjBnApxJV0xW759uF86jNVnzQeFXtEPQVHaEx2o4YEXzGFwJHnQrR4bMRQUHoJOwScANwor/Oa2UsXnu+IcornHM2yLd/7TsTUJA5MlMr4s0mN9B17FSFCEFnimpv8p6r03n+G29xNx4kaL/eEdjh1v6oV8O25liTsWRQEgtHCHdAZuyoJSYqsYM12m+aYRZY"
 "h3s+IA9Y2JAH8d1wMACK7oo5C3M+la8MmAMmP7+Bc1dPS4/djSfqn9BOlSuNAK/mf+IlmLvErMIiThjEVkLZk8w1hPf2Fy8JM/JqeFBOln2+t/jlSVRUJtNyb+V2Lcod90KvNBFwIDAQAB" )  ; ----- DKIM key D4772146-9320-11EC-8658-9E8B906C0A18 for zimbra.tech
 78E065D4-9322-11EC-8E14-CEC2906C0A18._domainkey.mail.zimbra.tech.	IN	TXT	( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArgK7jKsXeBNoJUBXTJqVwTnJsSjxnnC/1+ylmMpJQYfi9qRyy99LxXB4SLyYYI84Gs3ZJBTV1uJQradgHWA04hkFA/JSGL558F+jhWQDovhcvGjZ3TCCvQAofIkleV5K8Ki6Rq//B+cY436vqyW44JTGVBJasepKkRUPDxcFEK5fjUIm034eRHpIHUDB25xte74QEVr6qpQFjU" 
 "p8U9H+Y/IsIsp4+Kk3oQIUKkGOoeom/xbamXXaaJPwW+WoQv4X25IecqTtzJH2k8fDuburCA6alzwkFms6WKEOlVak3N2SvlDkEr4xR10TtQhEGKdZKFQNK4X/NjbLAcx4lyGkbQIDAQAB" )  ; ----- DKIM key 78E065D4-9322-11EC-8E14-CEC2906C0A18 for mail.zimbra.tech


Revoking a DKIM key in DNS

If it becomes necessary to revoke a DKIM signing key, this can be easily done in DNS by using an empty "p=" tag in the TXT record.

2048-bit signatures starting ZCS 8.7.x

Starting ZCS 8.7.x Zimbra generates a 2048-bit key, after run the next command (remember the -a for the first time, and -u it's just for update the DKIM entry):

/opt/zimbra/libexec/zmdkimkeyutil -a -d yourdomain.com

You will observe something like the next (with your own information):

DKIM Data added to LDAP for domain zimbra.io with selector 25D766CE-CEAC-11E7-B087-020B6DB9DD9A
Public signature to enter into DNS:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4vVMiV3/14hRMzbKNnBKNThqxTWLi2E5NqqHLccIJg/P33yqwgGVKKUM9HFfXZ8urz6/dl8oNG3oxs73W1sgWHrFRo3ZayHsuUMe+DLyt8wtyR/RUae0nvd6Z6t0lPwujXWBrRS/FeMg/IGA8ExBKjD+aAYdQfH/lhlDGzumTXgbSB0KMzlpOjcum2Aes69rEiR744GGaPb2"
          "X3MxK8vjpeMIx16n2tADb0wKKP19WTF0at5HCP8F4SFflLUPJMOC1Be9FCWjTjNr1qrRZTwCwC7OC9tnV7SsKKXG+8D6hu39Tm5U1GLzpKvLMIv14b6MWsU9cV/iVKH+hQq4YRowIDAQAB" )  ; ----- DKIM key 25D766CE-CEAC-11E7-B087-020B6DB9DD9A for zimbra.io

By default, DNS Servers only accepts 255 characters on every TXT entry, so depending on the DNS Server you are using you will need to do one of the next:

  • On cPanel UI it's as easy at creating one new TXT entry with the selector, and on the value all together like "v=DKIM1; k=rsa; p=ALL-THE-CODE-"

Dkim-2048.png

  • If using old version of Bind, or other DNS Server based in CLI, you can try by adding the DNS entry on the next format:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w..."
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey    IN    TXT    "...AQAB")
  • Another way some DNS Servers might work are the next one:
25D766CE-CEAC-11E7-B087-020B6DB9DD9A._domainkey IN      TXT     ("v=DKIM1;k=rsa; p="
"MIIBIjANBgkqhkiG9w..."
"...AQAB")    

How to check that you have a valid DKIM signature

You can check if you have a valid DKIM by using for example the next URL - http://dkimcore.org/tools/keycheck.html : Introduce your selector and your domain and click on check

Dkim-2048-001.png

After a few seconds you will see the result:

Dkim-2048-002.png

DKIM and outbound email

By default with DKIM enabled outbound email submitted via logged in users will be converted from 8 bit to 7 bit with Content Transfer Encoding quoted-printable. This is done to prevent a bad DKIM signature along the path should another server be unable to handle Content-Transfer-Encoding of 8bit. If a message is signed as DKIM and sent 8 bit and then converted to 7 bit, DKIM will fail. By preforming this conversion for your users, Zimbra ensures a valid DKIM signature.

This has the disadvantage of munging the content of users message body. Mailing lists and PGP/GPG users will find quoted-printable encoding to break the expected behaviors of email. This page on amavisd has a detailed explication of the problem.

Should you wish to have the message body preserved as 8 bit at the risk of a bad DKIM signature the following should be changed in /opt/zimbra/conf/amavisd.conf.in:

in the ORIGINATING and ORIGINATING_POST policies change:
%%uncomment SERVICE:opendkim%%  smtpd_discard_ehlo_keywords => ['8BITMIME'], 
to:
%%uncomment SERVICE:opendkim%%  smtpd_discard_ehlo_keywords => [],
This is in two places in the /opt/zimbra/conf/amavisd.conf.in file.

do a 'zmamavisdctl restart' and verify the service is sending 8BITMIME in the ehlo response

$ telnet 127.0.0.1 10026                                                                                                          
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
ehlo zimbra.co 
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250-DSN
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE


Verified Against: ZCS 8.x Date Created: 05/03/2012
Article ID: https://wiki.zimbra.com/index.php?title=Configuring_for_DKIM_Signing Date Modified: 2022-02-21



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search