Enable DKIM on Your Gateway

You’ll need to repeat the following process for enabling DKIM for each of the email gateways you use for a given domain.

Email gateways in your own infrastructure often appear as Custom Senders on the Diagnostics > Senders page.

If you are hosting your own email gateways sending outbound mail, you will need to take these 4 steps to implement DKIM:

Step #1: Determine Domains

Determine all the domains that are allowed to send outbound mail from the email gateway. The Diagnostics > Domains page (and custom domain groups) can help you identify a comprehensive set of domains.

Step #2: Create Key Pairs

Next you’ll use a tool to create the DKIM public/private key pairing and the policy record. The public key is a key that you will place in your public-facing DNS record along with the DKIM policy record.

The private key is a long key that is installed on the email gateway (MTA/Email sending systems). When you send an outgoing email, the outgoing email gateway adds the DKIM signature.

Several online tools are available to help you create the key pairs. Some of the available online tools for creating key pairs include:

https://port25.com/dkim-wizard/

http://dkimcore.org/tools/keys.html

https://www.dnswatch.info/dkim/create-dns-record

Searching for “DKIM key generator” or “DKIM key wizard” will yield additional results.

Step #3: Publish DNS Records with DKIM information

Create DNS text records that include DKIM information for every domain that is used to send e-mail. These records will be inserted in your public facing DNS record for each sending domain. Note that you will be creating a new record for each domain.

Agari can host the DKIM records for your domains. This still requires that you add nameserver (NS) records to your domain, but with Agari hosting the DKIM records themselves, any changes that you make in DMARC Protection will be published automatically and you will not have to touch your own DNS records again.

Step #4: Enable DKIM Signing on the Gateway

The instructions for enabling DKIM signing will vary depending on your gateway. Here are some pointers to documentation for popular gateway models:

• IronPort: https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide/b_ESA_Admin_Guide/b_ESA_Admin_Guide_chapter_010101.html
• Symantec: https://support.symantec.com/en_US/article.HOWTO126432.html
• Postfix: https://petermolnar.net/howto-spf-dkim-dmarc-postfix/