1, CREATE THE KEYS
This step will take you through creating keys using a seemingly trustworthy online key generator. However, for those of a more nervous disposition about security, and who want be in control of creating such keys without the use of the internet (involving downloading of OpenSSL software), then an alternative method for creating the keys can be found here: http://www.dataenter.com/doc/general_domainkeys.htm - then continue to apply the generated key strings accordingly (from step (2) below).
i, Go to https://www.port25.com/support/domainkeysdkim-wizard/
ii, Fill out the form accordingly:
- Domain name of the “From:” header address....: enter your domain (eg, YOURDOMAIN.COM)
DomainKey Selector (e.g., key1): enter "dkim" (without the quotes. We will be referring to this choice of key word later)
Key size in bits: 1024
Note: you may choose 2048bits but this will result in a longer key. However, many DNS servers will not accept the record length of this key as it will be too long and its likely you are unaware of your servers limitation until after you try it. (This happened to me). So I advise to enter just 1024 bit to be sure.
iii, Click 'CREATE KEYS'
2 keys will be generated on screen. The first one will be the PUBLIC KEY:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
2, UPDATE YOUR DNS RECORD WITH THE DKIM KEY
Go to your DNS records portal/administration to amend your domain DNS records and add a TXT record under your domain:
i, Copy the long string of characters that appear between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY---- (highlighted in bold above) to your clipboard.
ii, Create a TXT record against your domain in DNS with the following entry:
- key: dkim._domainkey.YOURDOMAIN.COM
Value: v=DKIM1; t=s; k=rsa; p=The_Long_String_Of_Text_From_Your_Clipboard_Above
(ensure the single spaces between parameters are included)
v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8nxXPJLVrZycHRDJgL1l/Euut3yPAGHS8CIqMUrwn7PmNoNUEYsoMkiBfRTXLTCpzU2+BceZ9CFyR9N3mJhndvgg6e6JBuVBYyqofAmfDqbuHz7FqF3H6bTdR5l9/5AQM3XFJeerzOO8cPY3VwYnhfUFswCU/suTcTK0+uMV1ewIDAQAB
Important Note: if you are using/administering a BIND dns server then the semicolons (';') need to be 'escaped' with a backslash and entered as '\;'
eg, v=DKIM1\; t=s\; ....
iii, Save your new record
iv, You may now test for the DNS record to see if it has been accepted by using online DNS Query facilities such as this one: http://www.dnswatch.info/.
- Hostname or IP: dkim._domainkey.YOURDOMAIN.COM
The results should now show an entry similar to
(note that there is no 'escaped' semicolon - if there is then you should re-enter your DNS record without the backslashed semicolon.)
3, CREATE THE PRIVATE KEY ON YOUR HMAILSERVER
i, Create a blank text file (with Notepad, for example) and paste in the second part of the block (the -----PRIVATE KEY-----) as appears on the website:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
ii, Save this file as "dkim.YOURDOMAIN.COM.pem".
I recommend saving this file in to the DOMAIN folder off the root of your data directory (where the email files are held in sub folders).
This way the the domain specific key will be saved with your data backups and thus avoiding configuration problems on restore.
4, CONFIGURE HMAILSERVER
i, In Hmailserver admin go to: DOMAINS - 'mydomain.com' - "DKIM Signing"
- Tick 'Enabled'
Private Key File: browse and point to dkim.YOURDOMAIN.COM.pem as saved in step (3ii)
Header method: relaxed
Body method: relaxed
Signing algorithm: SHA256
Send an email to an external address that you can receive and view (eg, a Gmail, Yahoo etc address). Upon receiving it, use your portal/email client functions to view the "Message Source" or 'full headers'. Within the headers there should be something like:
Authentication-Results: mta1323.mail.ne1.yahoo.com from=MYDOMAIN.COM; domainkeys=neutral (no sig); from=MYDOMAIN.COM; dkim=pass (ok)
Further down in the headers where your Hmailserver initially starts the delivery, there should be a 'received' header similar to:
Received: from 127.0.0.1 (EHLO mail.mydomain.com) (18.104.22.168)
by mta1323.mail.ne1.yahoo.com with SMTPS; Wed, 16 Mar 2016 09:13:38 +0000
dkim-signature: v=1; a=rsa-sha256; d=mydomain.com; s=dkim;
c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
If you have the DKIM signature, and you have the DKIM=PASS in the "Authentication Results" header, then youre done!
Take note: A user once reported that adding a signature (in Hmailserver) was breaking his DKIM validation for http://dkimvalidator.com/ and therefore possibly for some receiving mail servers whilst it was passing for others (GMail,Yahoo etc passed the DKIM). Its worth reading his cause and conclusion here: viewtopic.php?p=200485#p200485 to show how to prevent this problem with signatures.
I have DKIM set up (as per the above instructions) and receive a "DKIM=PASS" on all tests with online DKIM/email checkers and email providers I try....that is all EXCEPT Microsoft's Outlook/Hotmail! (surprise surprise). Even when the same email is CC'd to Hotmail and a Yahoo addresses (for example), or even have Hotmail accept it and forward it on to a Yahoo address, only the Microsoft servers chooses to fail and continue to issue 'dkim=fail' (and they are still unable to explain why.) Despite this, and probably because of our domains 'good reputation' and SPF records, it doesnt affect delivery of our emails to their INBOX. But you should be aware and maybe check/test yourself to determine what the results are for your domain when sending to an Outlook/hotmail address. If you do suffer from Microsoft-run email services from JUNKing your emails, then read this article (with direct link) for explanations and possible options: viewtopic.php?p=184321#p184321.
EDIT: MICROSOFT ALSO GIVES A DKIM=PASS: A few days later after the initial implementation and results above, I did further tests. Microsoft servers give DKIM=FAIL if the BODY of your text is blank - if the body is not blank (which is normally the case in most emails) then they also gave DKIM=PASS. This was true for both plain text and html/richtext email bodies. (My initial test emails just contained recipient address and a subject (eg "test 1") and didnt have a body text.). Phew. Wierd, but phew!