Note: This article applies to Mailborder v5.3.0 and later Master and Child servers.
You may add DKIM signatures to email generated on or passing through Mailborder servers. In order to do this you must first create the public and private keys along with the corresponding DNS record. Navigate to the DKIM Signatures section of the Master GUI. As of this writing, it is located here: [ top menu > Transport > DKIM Signatures ]
Creating Public and Private Keys #
The easiest method to create the keys needed for DKIM is to use the record generator built into the Mailborder Master GUI. However, you may also use an alternate source like DKIM Record Generator from Easy DMARC and paste the values into the form. The form is self-explanatory and has help dialogs, but there are some things to note:
Domain #
This is the domain you own and/or control. Normally this domain would be one you have defined in the Mailborder GUI for spam processing. However, any email with the source address using this domain will get a DKIM signature.
Selector #
This is going to be part of the DNS text record name you create. For example, if you wanted to use the selector foo for the domain example.com, the final result will be foo._domainkey.example.com in DNS. This means you are going to create a TEXT record named foo._domainkey in the example.com DNS records. The value of that record will be something that looks like this:
Key Length #
This is how strong the encryption used is going to be. Stronger does not always mean better in this case. We are not using these keys to encrypt the content of messages. It is being used to create a signature that is being attached to the headers. Your DNS server may or may not accept values greater than 255 characters in the text record, which anything larger than a 1024 bit key length will produce a text record greater than 255 characters. The stronger the encryption you use, the longer the DNS text record value is going to be. The standard as of this writing is 2048 bit. However, you may need to use 1024 bit depending on your DNS server. The GUI will automatically break your DNS text record into chunks using double quotes if the record is longer than 255 characters. Most DNS server will accept this. However, if you use a DNS provider that will not allow this you will need to use a 1024 bit key length.
Public and Private Keys #
These fields will automatically be populated by the Mailborder GUI if you use the Generate Records button. Alternatively, you may use something like the DKIM generator from Easy DMARC and paste the results into the form.
Signing Enabled #
If this box is checked, all Mailborder servers will using this DKIM record for signing email originating from the source domain. Uncheck the option if you only wish to add the configuration for now. You may enable this later for signing operations.
Adding Trusted Hosts #
In order for the DKIM signing keys to be used, trusted hosts need to be entered into the configuration. This is done on the DKIM Internal Hosts page. As of this writing, this page is located here:
[ Master GUI > top menu > Transport > DKIM Internal Hosts ]
Use the Actions menu to add your internal servers that send email outbound through Mailborder servers. For example, if you have an internal Exchange servers that relays outbound through a Mailborder server, add the IP of the Exchange server. You may also add CIDR ranges, hostnames, and wildcards.
About Wildcards #
The traditional use of asterisks (*) is NOT allowed. To specify a wildcard, prefix the entry with a dot (.). For example, if you wanted to allow all hosts in the example.com domain to utilize the DKIM signing, you would add the wildcard like this:
.example.com
Loopback Addresses #
The local loopback addresses 127.0.0.1 and ::1 are automatically added during configuration rebuilds.
Creating the DNS Record #
Once you have created your DKIM keys, go to where your DNS is hosted and create a new DNS text record. Again, the name of the record will be your selector name appended with ._domainkey at the end. The text value of the DNS record will be the output that starts with v=DKIM1; from the Mailborder generator or Easy DMARC. Below is a sample screenshot for mailborder.com using DNS hosted by Amazon Web Services. The name of our selector is default but you may use anything you prefer.