1, CREATE THE KEYS
This step will take you through creating keys using a seemingly trustworthy online key generator. However, for those of a more nervous disposition about security, and who want be in control of creating such keys without the use of the internet (involving downloading of OpenSSL software), then an alternative method for creating the keys can be found here: http://www.dataenter.com/doc/general_domainkeys.htm - then continue to apply the generated key strings accordingly (from step (2) below).
i, Go to https://d-fault.nl/dkimgenerator
ii, Fill out the form accordingly:
- Domain name of the “From:” header address....: enter your domain (eg, YOURDOMAIN.COM)
- DomainKey Selector (e.g., key1): enter "dkim" (without the quotes. We will be referring to this choice of key word later)
- Key Length in bits: 1024
- Settings:
Require a domain match: Tick
Add key length note tag: Untick (not necessary)
Escape semicolons: Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;' - in this case you will need to Tick this setting.
2 keys will be generated on screen. The first one will be the PRIVATE KEY:
eg,
and the second will be incorporated in to a TXT record which is for your DNS entry:-----BEGIN RSA PRIVATE KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut
3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6
e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFs
wCU/suTcTK0+uMV1ewIDAQAB
-----END PRIVATE KEY-----
eg
2, UPDATE YOUR DNS RECORD WITH THE DKIM KEYdkim._domainkey.YOURDOMAIN.COM IN TXT "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB"
Go to your DNS records portal/administration to amend your domain DNS records and add a TXT record under your domain copying the text details as appearing under the TXT RECORD:
i, Create a TXT record against your domain in DNS with the following entry:
- key: dkim._domainkey.YOURDOMAIN.COM (as it is shown in the TXT record)
Note: GoDaddy users may need a shorter version - see here for a users experience.
- Value: Copy the remainder of the TXT record as they appear in the quotes
eg, v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg...The_Long_String_Of_Text
(ensure the single spaces between parameters are included)
iii, You may now test for the DNS record to see if it has been accepted by using online DNS Query facilities such as this one: http://www.dnswatch.info/.
Enter:
- Hostname or IP: dkim._domainkey.YOURDOMAIN.COM
Type: TXT
(note that there is no 'escaped' semicolon - if there is then you should re-enter your DNS record without the backslashed semicolon - recreate your record unticking the "Escape Semicolon" option.)dkim._domainkey.YOURDOMAIN.COM.
TXT 300
v=DKIM1;t=s;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB
3, CREATE THE PRIVATE KEY ON YOUR HMAILSERVER
i, Create a blank text file (with Notepad, for example) and paste in the first part of the block (the -----PRIVATE KEY-----) as appears on the website:
eg
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1RKKds55yyGSS/h47+4LMpyz08yqf2zzIS86UYr2KAry1b8Q
+F4Aa03+YA6NZbzWnUepaKVG5Fmd0RxAqbwRCvr/KxoNbs2oHWHR3LaXEsr96zkl
wCV6XxciNDWkC9iDnrCOb8J/ihQM5kUMRJdvYtJMtZivyi7c6DFSN7aMdDO2Vu96
RybbCUSjXxNFFjgE8fY57E7zJFOHPDCxJpfmVDxPKJqHyGpTKDmiywtTMLgH7Nsy
eR2OSn+2tDja6VWvuiq6EfZ5sRWmV2dn0KWVbTSjH74BI9OOPK3LfKQfLQ4iUnPF
Wf7IC29jggKg/PBMuXcp5qo5ZIFy5f8Z1SZgD+kpgGkxw42bJl7olaFRayu5rJH8
Fa6a99Y5/i7EI9jYas7WHP0lxM6rZlUyWE4pB5DPRDqDCbesuEV5DmHROVlfSgpH
sHaeNGbfHCYDngg5KvAUxLECgYEAnh+c5HHm4X13JSsm6ScBQW7HDB0fNP7W13iS
Petie/HsQE+0xgDEKfGm/DgAAIErTz6pfjpXX9dQs/O+aY5LNh0PTduO+g2fS0qy
bwu4VU9vSu1WFMWS+fLCSBpePRiWjCRN5uDH7ZQUOqu0WVEN3Y1k43uTiFUgvppr
TRQOyB0CgYBU9Pl2tMVV02pnZeZGsYv7RykMJ4xhD9urVxtMCI76H6xHAbJcnXy0
NMXqxfK5iAJFR1ffkAIti/v6dUlgg+4sCJExJFmawpe0PV/mARrHLkSCcHxTvnS0
sGqiP8TQKVRCvkwOhp/dgabfNoiOE3QWAzpngZLjfeoH0P+SYaBN/g==
-----END RSA PRIVATE KEY-----
ii, Save this file as "dkim.YOURDOMAIN.COM.pem".
I recommend saving this file in to the DOMAIN folder off the root of your data directory (where the email files are held in sub folders).
eg d:\pathto\HMSdatafolder\YOURDOMAIN.COM\dkim.YOURDOMAIN.COM.pem
This way the the domain specific key will be saved with your data backups and thus avoiding configuration problems on restore.
4, CONFIGURE HMAILSERVER
i, In Hmailserver admin go to: DOMAINS - 'mydomain.com' - "DKIM Signing"
- Tick 'Enabled'
Private Key File: browse and point to dkim.YOURDOMAIN.COM.pem as saved in step (3ii)
eg, d:\pathto\HMSdatafolder\YOURDOMAIN.COM)
Selector: "dkim"
Header method: relaxed
Body method: relaxed
Signing algorithm: SHA256
5, TEST
Send an email to an external address that you can receive and view (eg, a Gmail, Yahoo etc address). Upon receiving it, use your portal/email client functions to view the "Message Source" or 'full headers'. Within the headers there should be something like:
Further down in the headers where your Hmailserver initially starts the delivery, there should be a 'received' header similar to:Authentication-Results: mta1323.mail.ne1.yahoo.com from=MYDOMAIN.COM; domainkeys=neutral (no sig); from=MYDOMAIN.COM; dkim=pass (ok)
If you have the DKIM signature, and you have the DKIM=PASS in the "Authentication Results" header, then youre done!Received: from 127.0.0.1 (EHLO mail.mydomain.com) (123.45.67.89)
by mta1323.mail.ne1.yahoo.com with SMTPS; Wed, 16 Mar 2016 09:13:38 +0000
dkim-signature: v=1; a=rsa-sha256; d=mydomain.com; s=dkim;
c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
bh=pVMggf6ACj7Jh1zg8lMTWup8MzcMJg8v5gp1MijD6II=;
b=d+w4QzQFvsLa7Jt0gUoqI+Eu4X8QudR/HcxtxL0e/oloZWD9K1ZdmOVYEWZVYE3RvfvuosFlZ0DTQvF3Ok17yYEqkqeoyoSmp8BEUYEuRmTYELDrDe1ooYyVBdQHOFZqVMZLqMPgETYEhs1EEy4e3lEorEZ0R51wLSDY1PMbkK25XtxBs
Take note: A user once reported that adding a signature (in Hmailserver) was breaking his DKIM validation for http://dkimvalidator.com/ and therefore possibly for some receiving mail servers whilst it was passing for others (GMail,Yahoo etc passed the DKIM). Its worth reading his cause and conclusion here: viewtopic.php?p=200485#p200485 to show how to prevent this problem with signatures.
Warning:
I have DKIM set up (as per the above instructions) and receive a "DKIM=PASS" on all tests with online DKIM/email checkers and email providers I try....that is all EXCEPT Microsoft's Outlook/Hotmail! (surprise surprise). Even when the same email is CC'd to Hotmail and a Yahoo addresses (for example), or even have Hotmail accept it and forward it on to a Yahoo address, only the Microsoft servers chooses to fail and continue to issue 'dkim=fail' (and they are still unable to explain why.) Despite this, and probably because of our domains 'good reputation' and SPF records, it doesnt affect delivery of our emails to their INBOX. But you should be aware and maybe check/test yourself to determine what the results are for your domain when sending to an Outlook/hotmail address. If you do suffer from Microsoft-run email services from JUNKing your emails, then read this article (with direct link) for explanations and possible options: viewtopic.php?p=184321#p184321.
EDIT: MICROSOFT ALSO GIVES A DKIM=PASS: A few days later after the initial implementation and results above, I did further tests. Microsoft servers give DKIM=FAIL if the BODY of your text is blank - if the body is not blank (which is normally the case in most emails) then they also gave DKIM=PASS. This was true for both plain text and html/richtext email bodies. (My initial test emails just contained recipient address and a subject (eg "test 1") and didnt have a body text.). Phew. Wierd, but phew!