How do I configure DKIM signing?

DKIM signing attaches a cryptographic signature to emails, allowing a receiving mail server or spam filter system to check the message has not been tampered with. Used with DMARC it enables verification that an email is from who it said it is from. Jiglu 12.1 and above supports the DKIM signing of email, which is often an easier option than setting up DKIM signing in a mail server.

Basic configuration

Generating the key

The first thing to do is create a key for the signing in PKCS#8 format:

cd /etc/jiglu
openssl genrsa -out dkim.pem 1024
openssl pkcs8 -topk8 -nocrypt -in dkim.pem -outform der -out dkim.der

1024 is a good key length to use as longer keys may cause problems with restrictions in the length of DNS records.

Next, the permissions need to be set so Jiglu can read the DER file and the original PEM  file is not readable by others:

chown root:jiglu dkim.der
chmod 640 dkim.der
chmod 600 dkim.pem

Configuring bootstrap.properties

Now you need to edit the bootstrap.properties file and set the location of the key file:

com.jiglu.mail.outgoing.dkimPrivateKeyFile=/etc/jiglu/dkim.der

You can also adjust the template used for the DKIM-Signature header if you wish. By default this will use the mail domain you configured in the com.jiglu.mail.domain property and a selector of 's1'. A selector is a way of letting different applications or services from the same domain use their own specific keys. This is the default template used:

com.jiglu.mail.outgoing.dkimSignatureTemplate=v=1; s=s1; d=; c=relaxed/relaxed; h=From:Date:Subject:Sender:Message-ID:Content-Type; a=rsa-sha256; bh=; b=;

Configuring the DNS entry

A record needs to be added to the DNS with the public key that recipient systems will use to confirm the signature from the message is valid. To get the corresponding public key from the private key use:

openssl rsa -in dkim.pem -pubout

This will give an output similar to:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3WxTrecEvtIVvDWttSnFwL+GI
m8PvdJhBjOJNgYha4BKBUuMlJyAJtfQIWwMJlnAXc2D/6AgYVwjfMROM6R03BjRH
9wFQQ6814CGYhNgXO9GKWMmzuvtvEteVk9nLmd8KvirJ5sHkwTTKCm5CZlHBH5zZ
7m1+7wEBY2N328jHQQIDAQAB
-----END PUBLIC KEY-----

Copy the public key between the begin and end lines into a text editor, remove the line breaks inbetween and add the parameters needed for the record. For example, with the above key we would use:

v=DKIM1;g=*;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3WxTrecEvtIVvDWttSnFwL+GIm8PvdJhBjOJNgYha4BKBUuMlJyAJtfQIWwMJlnAXc2D/6AgYVwjfMROM6R03BjRH9wFQQ6814CGYhNgXO9GKWMmzuvtvEteVk9nLmd8KvirJ5sHkwTTKCm5CZlHBH5zZ7m1+7wEBY2N328jHQQIDAQAB;s=email;t=s

This should be all on one line. For a description of the different parameters that can be used see the DKIM specification. Now this needs to be added as a DNS TXT record at a subdomain of the domain used and the selector that was chosen. For example, if you used the default 's1' selector and Jiglu is running on a domain of jiglu.example.com then you would add the record as s1._domainkey.jiglu.example.com. You can now restart the Jiglu server.

Checking everything works

There are several tools available for checking that you have everything set up correctly. DKIM record check will let you check that you have your DNS record set up correctly. If you use Mozilla Thunderbird then the DKIM validator plugin is useful for checking that the signature of messages is correct.

Signing discussion messages from domains under your control

If all your users are from domains under your control then you can configure Jiglu to sign discussion messages with those domains so they can be successfully verified. (For more on the issues of discussion message email see here.)

In the bootstrap.properties configuration file, set the list of domains that users will use. For example, if all your users are from example1.com and example2.com then use:

com.jiglu.mail.outgoing.dkimLocalDomains=example1.com,example2.com

Now for each of those domains, add the same DKIM DNS record as above. For example, if you used the default 's1' selector then for these two domains you would add records as s1._domainkey.jiglu.example1.com and s1._domainkey.jiglu.example2.com. You can now restart the Jiglu server.

Now when a discussion message is received from one of these addresses it will be verified against those domains instead of the Jiglu domain.

Written by Stephen Hebditch. Published on .
4.0.0
Everything you need to know to configure Jiglu to sign messages with DKIM.