DKIM DomainKeys Identified Mail
is a mechanism that
checks if an incoming email's FROM address is forged.
DKIM adds a special header to every outbound email, which can be used to confirm the message authenticity. Xeams can not only checks
the DKIM signature of an incoming email from the Internet, it can also sign an outbound message with a private key that can be verified
by a receiving server.
Enabling DKIM in Xeams
- Login as admin to Xeams' web interface
- Click DKIM under Filter Management
- The following page has two sections:
- You can specify a spam score on the left hand side for incoming emails. This score is assigned to a message fails a
DKIM authentication. This score is only assigned if a signature is found but is invalid.
- Specify domains that you would like to sign when sending outbound emails on the right hand side
Preparing your domain for outbound messages
To add your domain, simply specify your domain name
along with a selector
value. Selector can be any arbitrary
value and its purpose is to differentiate multiple SMTP Servers in your company. Consider a scenario where you have two
SMTP servers: Xeams and Exchange and outbound emails are sent from both of them. In this case you can use the word "xeams"
for the Selector in Xeams and "Exchange"
for the other SMTP server.
Xeams automatically creates a pair of Private/Public keys in the background. These keys are saved in
folder. It is strongly recommended you backup this folder. To view the public key value for your domain, click View Details
the desired domain name.
When a domain is added in Xeams, it remains Inactive
until the public key is entered in your DNS server. This is done by design
to avoid signing an outbound email without a DNS entry.
How to add your public key in a DNS server
You will need to add a TXT record in your DNS server. The host name for this TXT record must be:
Copy/paste the value of your public key from the "View Details"
screen for your domain.
Troubleshooting Common Problems
Xeams Display a Thumbs Down Icon
Xeams will perform a DNS lookup to see if your DKIM key exists in DNS. If the key is not found, you will see a
thumbs down () icon in the active column.
This happens if Xeams is not able to query your DNS server. Click Tools (the word Tools itself) in Xeams Admin Console. This brings up a screen
allowing you to perform DNS lookups. Try performing DNS lookup on
YourSelector._domainKey.YourDomain.com and ensure it returns your DKIM key.
If not, ask yourself if you use two DNS servers, one publicly and another for LAN. Often administrators modify the zone in their public DNS but forget to add the
DKIM key in their local DNS server.
DKIM signature is not trusted
DKIM signature is based on the body of the email. A slight modification in the body AFTER dkim key has been generated will cause problems.
Often emails go through intermediate SMTP servers before reaching the recipient's SMTP. Consider the following example:
Exchange → Xeams → AnotherSmtp → Recipient's SMTP
In the above example, outbound emails are forced to go through the AnotherSmtp
before reaching its final destination. Assume the goal of this
extra SMTP server is to add a custom privacy note at the end of every message. Since the message has now been modified AFTER Xeams created the DKIM signature,
it will become invalid and the recipient's server will consider that a forgery.
Therefore, it is important that DKIM signature is added by the last SMTP server in your network.