DKIM signature for outgoing messages

This section provides instructions on adding a DKIM signature to outgoing messages.

About the DKIM signature for outgoing messages

A DKIM signature for outgoing messages  is a digital signature added to messages sent from email addresses of a certain domain for purposes of identifying users by the name of the corporate domain.

DomainKeys Identified Mail (DKIM) technology combines several existing anti-phishing and anti-spam methods to improve the quality of classification and identification of legitimate email. Instead of a traditional IP address, DKIM technology adds a digital signature associated with the name of the corporate domain to the message for the purpose of identifying its sender.

Enabling and disabling the DKIM signature for outgoing messages

To enable or disable the DKIM signature for outgoing messages:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. In the upper part of the workspace, click the DKIM signature link to open the DKIM settings window.
3. Select one of the following options in the DKIM signature drop-down list:
   • Enabled if you want to add the DKIM signature to outgoing messages.
   • Disabled if you do not want to add the DKIM signature to outgoing messages.
4. Click OK.

The DKIM settings window closes.

Creating the DKIM key

To create a DKIM key:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. Click the Create button in the upper part of the workspace.

   The Create DKIM key window opens.

3. In the Key name field, type the name of the DKIM key that will help you to find the key when adding the DKIM signature for messages.
4. Click OK.

The DKIM key you have created appears in the list of DKIM keys in the workspace of the main window of the application web interface.

Importing the DKIM key from file

To import a DKIM key from file:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. Click the Import from file button in the upper part of the workspace.

   The Import DKIM key window opens.

3. In the Key name field, type the name that you want to assign to the DKIM key being imported.
4. Click the Browse button to the right of the Choose DKIM key file field.

   The file selection window opens in the web browser that you use.

5. Choose the file of the DKIM key that you want to import and click the Open button in your web browser.

   The file must contain an RSA key in PEM format and be 2048 or 4096 bits long.

   The file selection window closes.

6. Click OK.

   The Import DKIM key window closes.

The DKIM key appears in the list of DKIM keys in the workspace of the main window of the application web interface.

Deleting the DKIM key

To delete a DKIM key:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and DKIM subsection.
2. In the list of DKIM keys, select the check box next to the name of one or several keys that you want to delete.
3. Click the Delete button in the upper part of the workspace.

   The Delete action confirmation window opens.

4. Click Yes.

   The Delete window closes.

The DKIM key is deleted.

Preparing to add the DKIM signature to outgoing messages

You can configure the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway.

The process of configuring the DKIM signature for messages consists of the following steps:

1. Enabling the DKIM signature for outgoing messages.
2. Creating or importing a DKIM key.
3. Adding the DKIM signature to messages sent from email addresses in a specific domain.

In order for the remote mail server to be able to verify the DKIM signature added to outgoing messages, you need to obtain the DNS record of the public DKIM key via the web interface of Kaspersky Secure Mail Gateway and add it to the settings of your DNS server.

To obtain the DNS record of the public DKIM key, do the following in the web interface of Kaspersky Secure Mail Gateway:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the DKIM signature setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click OK.

      The DKIM settings window closes.

3. In the list of domains, select the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the DKIM signature for messages from domain addresses section, click Add.

   The Creating DKIM signature for the domain window opens.

5. In the Selector field, type the name that will help you find the DKIM signature.
6. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
7. Click OK.

   The Creating DKIM signature for the domain window closes.

In the DKIM signature for messages from domain addresses section, the DNS record field shows the DNS record of the public DKIM key for a specific domain.

To add a public DKIM key to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.
2. Locate the page with information on updating DNS records of the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.

   For example, this page can be named "DNS Management", "Name Server Management", or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure the DKIM signature to be added to outgoing messages.
4. In the list of records in TXT format, add the DNS record of the public DKIM key for a certain domain with the following contents:

   <selector>._domainkey.<name of the domain for which you want to add the public DKIM key>. IN TXT ( "v=<DKIM version>; k=rsa; s=email" "p=<DNS record of the public DKIM key>" )

   For example, you can add the following string:

   mail._domainkey.example.com IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtyb09IeTJtIxTEohP/wa8eZOuiFJxL3pjk+1R81ajQyTb4J8Dj23RbjOKCZGFdyJfj7MUUL9MpvAo6OL9KrfaF8ehR7MbHhaix1qPDfSP5a97vl9/6KR2TKJfi+0dQ/pMLJMbnXfdWeoDoDBUK0++B8HHCnSpLTxsH/YDOtjKaHFxbU6DMEICTiVBWR+yeWopdWi9kPNT5SJ5H" )

   See Document RFC 5617 for details on configuring settings of the DNS record of a public DKIM key.

5. Save changes.

The syntax of the sample DNS record is provided for purposes of adding it to the settings of a BIND DNS server. The syntax of the DNS record to be added to other DNS servers may differ slightly from the example provided.

Adding the DKIM signature to messages from addresses from a specific domain

Before adding the DKIM signature to messages from addresses belonging to a certain domain, you have to create or import a DKIM key.

To add the DKIM key to messages sent from email addresses belonging to a certain domain:

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. If the workspace shows the value of the DKIM signature setting as Disabled, do the following:
   1. Click the DKIM signature link to open the DKIM settings window.
   2. In the DKIM signature drop-down list, select Enabled.
   3. Click OK.

      The DKIM settings window closes.

3. In the list of domains, select the domain for which you want to add the DKIM signature to outgoing messages.
4. In the DKIM signature for messages from domain addresses section, click Add.
5. The Creating DKIM signature for the domain window opens.
6. In the Selector field, type the name that will help you find the DKIM signature.
7. In the Key name list, select the DKIM key based on which the DKIM signature will be added to messages.
8. Click OK.

The Creating DKIM signature for the domain window closes.

After you have configured the DKIM signature for messages in the web interface of Kaspersky Secure Mail Gateway, in order for the remote mail server to be able to verify this DKIM signature you have to add the public DKIM key to the settings of your DNS server.