DKIM (DomainKeys Identified Mail, [RFC4871], successor of DomainKeys) provides a cryptographic mechanisms to verify the integrity of a message. A DKIM signed message includes a "DKIM-Signature" header which contains a message signature that is based on public-key cryptography. DKIM uses DNS or DNSSEC as a carrier to provide the public keys.

VSP/SPG has the capability to both sign outbound messages and verify incoming messages signatures. The feature was added in version 2.2.

Contents 1 How to deploy DKIM with Halon VSP/SPG 1.1 Create a Private Key 1.2 Sign and Deliver 1.2.1 Selector 1.2.2 Domain 1.2.3 Private Key 1.3 Publish your public key 1.4 Verify that it's working

How to deploy DKIM with Halon VSP/SPG

The only requirements to deploy DKIM are that you have access to administer the DNS server for your domain name.

Create a Private Key

You should start by creating a private key (RSA 1024 or 2048) this can be done from the web administration (Security -> Certificates -> Generate), a new key of type "privatekey" should appear. This key should be kept private as it is used to protects the integrity of your DKIM-Signature.

Regarding the key size (1024 or 2048), for most organisations a 1024 bit key should be secure enough (written 2010) as long as the private key is not leaked. More bits will be recommended in the future as well as more regular key rotations.

Sign and Deliver

On the Flows -> Content page we provide a DKIM and Deliver simple block. It can replace the normal Deliver block at the end. It requires a few parameters.

Selector

The selector is a sub-domain/name-space/identifier for the key you currently using, this allows you to rotate keys, but still keep the old once for a while. So when you update the key, you should also update your selector. You can select use whatever selector you want as long as it's a valid domain name. Some people use friendly names like (gamma, spaceship, rocket, piggy) just for the laugh.

Domain

This domain defines which domain that guarantees the integrity of the message, depending on your implementation this can be either a domain of your choice (halon.se) or $senderdomain. The simplest approach to deploy DKIM is to use a single domain. The only disadvantage is that it doesn't allow you to deploy (Author Domain Signing Practices) except for that domain. (which this document doesn't cover).

For each domain halon.se or $senderdomain (all domains that you relay for) must provide the public key in their DNS server.

Private Key

Select your newly created key from the previous step

(don't forget to save once done)

• 

  Using the DKIM block

• 

  Configuring DKIM

Publish your public key

The DKIM simple block have a help function to generate the TXT entry for your DNS server to a subdomain of selector._domainkey.domain. (eg. spaceship._domainkey.halon.se). Once done you should verify that your public key looks valid.

On your computer run (with your own values)

Linux/Mac

In a terminal

# host -t txt spaceship._domainkey.halon.se

Microsoft Windows

Start -> Run -> cmd

# nslookup
> set q=txt
> host -t txt spaceship._domainkey.halon.se

It should look something like this.

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCocO7k2Nioo2T.....

Verify that it's working

It can be quite hard to verify if it's working by yourself (since DKIM is a cryptographic signature).