ControlPanel
-> AdministrativeTools
-> Services
, and check if those services are running,if those service are not running, please start it.Domainkeys/DKIM
in Manager and click New
to create a new domain DKIM signature.DKIM signature is based on the domain of sender email address.It is nothing about the server name.*@emailarchitect.net
, please input emailarchitect.net
to Sender Domain.CreatePFX,TestCertificateorAccessDenied
, please close DKIMmanager
, and then right clickDKIMmanager
-> runasadministrator
to try it again.Parameter | Description |
Sender Domain | DKIM signature is based on the domain of sender email address. It is nothing about your server name. For example, if you want to sign the email from *@emailarchitect.net , please input emailarchitect.net to Sender Domain. |
Selector | To support multiple concurrent public keys per sending domain, the DNS namespace is further subdivided with selectors . Selectors are arbitrary names below the _domainkey. namespace. To learn more detail, please refer to Selector section. For a new domain, you can simply use the default value s1024 . |
Active | If you have this option unchecked, DKIM for this domain is disabled. |
Signature | Default value is: DKIM Only . You can also choose DKIM Only or DomainKeys Only . Since DomainKeys is obsolete now and DKIM Only has better performance, we recommend that you select DKIM Only . |
Canonicalization Algorithm | nofws/relaxed is recommended and it has better compatibility. |
DKIM Signature Algorithm | On Windows 2000/2003/XP, rsa-sha1 is the only option. On windows vista/7/2008 or later version, you can choose rsa-sha1 or rsa-sha256 . rsa-sha1 gives better performance while rsa-sha256 is more secure. rsa-sha256 is recommended. |
Certificate File Name/Password/Type | Certificate Options If you don't have a certificate (private/public key pair) for your domain, DKIM manager will create a certificate for your domain automatically; if you have an existed certificate, please import it from your local disk and input your certificate protection password. If you choose 'you don't have a certificate...', DKIM manager will try to create a certificate from your local machine automatically. If the operation fails, DKIM manager will download a certificate from our server remotely. Multiple Servers If you have another server using our DKIM software to sign the same domain and it uses the same selector, you need to copy the certificate from that server and use the same certificate. Please refer to Deploy DomainKeys/DKIM on multiple servers with same domain. If you have another server not using our DKIM software to sign the same domain, please select 'I don't have a certificate ...', and use a different selector. To learn more detail, please refer to Selector section. Certificate Key Length 1024 key length is recommended. 2048 public key is too long for a single TXT record in DNS server,public key development is more difficult. |
Signed Headers | Specify what message headers should be signed. sender header and from header are a MUST. Using default setting is recommended. |
Sign a part of message | By default, DKIM signs entire body of message, however you can specify the maximum length of message body to sign. If your server relays message through a remote MTA, and this MTA adds disclaimer or changes email body content, I suggest that you use 'sign a part of message' and set 'Maximum length of message body to sign' to zero. |
Maximum length of message body to sign | If length is set to zero, only message headers will be signed. |
Sign system message (Exchange Server Only) | By default, DKIM plugin doesn't sign system message (non-delivery report), because those messages are supposed to transfer internally. However, if your server deliveries system message to internet, you should enable this option. |
Sign internal MAPI message (Exchange Server Only) | By default, DKIM plugin doesn't sign internal MAPI message to grow the performance, buf if you need to delivery MAPI message to internet (this is not default behavior of Exchange server), you should enable this option. |
Fix bad headers in embedded message (Exchange Server Only) | Sometimes, Exchange SMTP service wraps folded headers of embedded message again after DKIM signature is signed. This behavior may corrupt the message body hash. Enabling this option can fix this issue. |
Wrap email address with <> in email header automatically (IIS SMTP Only) | Sometimes original email header doesn't wrap email address with <>, however after DKIM is signed, some relay MTA may wrap email address automatically, this behavior corrupts the DKIM signature. This option can avoid the problem. You don't have to check this option (performance issue) except the relay MTA corrupted the signature. |
Disabled recipients | If message recipients contain the following email address, then disable DKIM signature. Please separate multiple addresses by line-break. Wildcard ( * and ? ) is supported. |
'nokey'
. But if there is aheader named “DKIM-Signature” in the report, that means DKIM signature is added to your email.Now we need to deploy DKIM public key to domain DNS server.Field | Description |
TXT Record | The full name of your public key record. |
Public Key | The value in the TXT record. |
Test Mode | t=y; in public key record means Test mode, you can remove t=y; from your public key record after your DKIM test is finished. |
Domain Policy Record (Optional) | Domain Policy Record is always deployed to _domainkey.yourdomain. In policy record value, o = Outbound Signing policy ('-' means that this domain signs all email; '~' is the default value and means that this domain may sign some email with DomainKeys). If you do not set policy record, the o=~; is used by default. |
DeployKey
in DKIM manager, please deploy public key manually as follows:v=DKIM1;k=rsa;p=...
) from Public Key field and pasteit to the “Text” text box and input s1024._domainkey
(depends on the informationin the dialog box, the syntax is [selector]._domainkey
) in Record Name. Clickthe OK button._domainkey
domain underyourdomain
at the beginning, and then create s1024
TXT record under _domainkey
sub-domain.The reason is that creating s1024._domainkey
TXT record directly is not permitted in Windows2000 DNS server.t=y;o=~;
) from Policy field and paste it to the “Text”text box and input _domainkey
in Record Name. Click the OK button.o=~;
is used by default.www.networksolutions.com
, you can deploy your publickey like this:v=DKIM1;k=rsa;p=...
) from Public Key field and pasteit to the “Text” text box and input s1024._domainkey
(depends on the informationin the dialog box, the syntax is [selector]._domainkey
) in Host. Click the“Continue” button.t=y;o=~;
) from Policy field and pasteit to the “Text” text box and input _domainkey
in Host. Click theOK button.v=DKIM1;k=rsa;p=...
) from Public Key field and pasteit to the “TXT Value” text box and input s1024._domainkey
(depends on the informationin the dialog box, the syntax is [selector]._domainkey
) in Host. Click the“Continue” button.t=y;o=~;
) from Policy field and pasteit to the “TXT Value” text box and input _domainkey
in Host. Click theOK button.*@yourdomain
, and you have set the domain in DKIM. AsDKIM signature is based on the email sender, if the sender domain is not set inDKIM Manager, the email won’t be signed.EADomainKeysAgent
installed in the output.Signapartofmessage
and set Maximumlengthofmessagebodytosign
to zero,then try it again.selectors
. Selectors are arbitrary names below the_domainkey,
namespace. For example, selectors may indicate the names of yourserver locations (e.g., mta1
, mta2
, and mta2
), the signing date (e.g., january2005
,february2005
, etc.), or even the individual user.s1024
, your public keyrecord should be s1024._domainkey.yourdomain
;mta1
,your public key record should be mta1._domainkey.yourdomain
.emailarchitect.net
and your selector is: s1024
, you should deploy your public key to s1024._domainkey.emailarchitect.net
.After the receiver received your email, the receiver can query the public key froms1024._domainkey.emailarchitect.net
to verify your DomainKeys/DKIM signature.*.pfx
certificate you created on the first server to other servers under EADomainKeysinstallationpathcerts
.*.pfx
file from your local disk and input the TMP001
(default password) asthe password.s1024
(default name).selector._domainkey.emailarchitect.net
,every email from multiple servers can be verified by this public key.server1
and server2
, On the first server (server1),svr1
is used as the selector. On the second serve (server2), svr2
is usedas the selector. The two servers use different key pairs (certificate).svr1._domainkey.yourdomain
; deploy the second server public key to svr2._domainkey.yourdomain
.svr1._domainkey.yourdomain
to validate the DKIM signature.svr2._domainkey.yourdomain
to validate the DKIM signature.selector
provide a solution for using different key-pair/certificates with thesame domain on multiple servers.emailarchitect.net
andyou have DKIM/DomainKeys for emailarchitect.net
set on your server. There is no problem when you send emails with sender *@emailarchitect.net
,the email will be signed correctly.*@adminsystem.com
and sign the DKIM/DomainKeys signature for outgoing emails. As adminsystem.com
isyour customer domain and you don’t have permission to deploy the public key toadminsystem.com
DNS server, you have to use sender rule.*@adminsystem.com
, then add a sender header (Sender:[email protected]
)to the message”. And the email will be signed by emailarchitect.net
based on thesender header.emailarchitect.net
. And the recipient email client will display: From:[email protected]
on behalf of *@adminsystem.com
.emailarchitect.net
in DKIM setting, and add a rule like this:*@emailarchitect.net
,the email will be simply signed by DKIM with emailarchitect.net
.