ZCS Administrator's Guide 8.0.4
ZCS Administrator's Guide 8.0.4
Open Source Edition


Managing Configuration > Using DKIM to Authenticate Email Message

Using DKIM to Authenticate Email Message
Domain Keys Identified Mail (DKIM) defines a domain-level authentication mechanism that lets your organization take responsibility for transmitting an email message in a way that can be verified by a recipient. Your organization can be the originating sending site or an intermediary. Your organization’s reputation is the basis for evaluating whether to trust the message delivery.
You can add a DKIM digital signature to outgoing email messages, associating the message with a domain name of your organization. You can enable DKIM signing for any number of domains that are being hosted by ZCS. It is not required for all domains to have DKIM signing enabled for the feature to work.
DKIM defines an authentication mechanism for email using
*
*
*
The DKIM signature is added to the email message header field. The header information look like this example.
 
Receivers who successfully validate a DKIM signature can use information about the signer as part of a program to limit spam, spoofing, phising, or other undesirable behavior.
Configure ZCS for DKIM Signing
DKIM signing to outgoing mail is done at the domain level. To set up DKIM you must run the CLI zmdkimkeyutil to generate the DKIM keys and selector. You then update the DNS server with the selector which is the public key.
1.
/opt/zimbra/libexec/zmdkimkeyutil -a -d <example.com>
The public DNS record data that must be added for the domain to your DNS server is displayed. The public key DNS record appears as a DNS TXT-record that must be added for the domain to your DNS server.
Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 1024 bits.
 
The generated DKIM data is stored in the LDAP server as part of the domain LDAP entry.
2.
3.
4.
/opt/zimbra/opendkim/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf
Update DKIM Data for a Domain
When the DKIM keys are updated, the DNS server must be reloaded with the new TXT record.
Good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.
1.
/opt/zimbra/libexec/zmdkimkeyutil -u -d <example.com>
Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 1024 bits.
2.
3.
4.
/opt/zimbra/opendkim/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf
Remove DKIM Signing from ZCS
Removing DKIM signing deletes the DKIM data from LDAP. New email message no longer are signed for the domain. When you remove DKIM from the domain, good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.
1.
/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com
Retrieve DKIM Data for a Domain
1.
/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com
Copyright © 2013 VMware Inc.