Enable DKIM for Domino
Daniel Nashed – 10 February 2024 19:23:27
Enable DKIM for Domino
- DKIM inbound is supported starting with Domino 12.0.2
- DKIM outbound is supported starting with Domino 12.0.1
Now the first providers raise the bar for sending mails.
This might not only be relevant for mass mail.
Here is a short write up enabling DKIM for RSA and Ed25519 keys.
-- Daniel
Inbound DKIM is just a setting in the configuration document.
Outgoing DKIM requires a signing key. RSA and Ed25519 are supported in parallel. Since not every server supports modern Ed25519 keys, it's a good idea to enable both key types.
For DKIM signing a RSA 1024 key should be sufficient.
There isn't a UI. For enabling DKIM output. This isn't complicated, but requires to set DNS TXT records.
Before you can start creating a key using the Domino server keymgmt commands, make sure you have setup a credential store.
The NEK key to encrypt the data in the credstore.nsf require a key.
Create credstore.nsf key and database
keymgmt create nek credstorekey
keymgmt create credstore credstorekey
Create signing keys
keymgmt create DKIM nashcom.de ed20240210 ed25519
keymgmt create DKIM nashcom.de rsa20240210 rsa 1024
Export keys
Next export the public key info into a text file.
keymgmt export DKIM DNS nashcom.de ed20240210 nashcom_de_ed20240210.txt
keymgmt export DKIM DNS nashcom.de rsa20240210 nashcom_de_rsa20240210.txt
Create DNS text records
The text files contain the DNS TXT record, which you use to create a DNS TXT record.
The name of the DNX TXT record is the selector puls "._domainkey." followed by the domain like shown in the following examples.
The TXT file does not contain the quotes which should be part of the content. It is a matter of the DNS TXT GUI of your provider.
Currently the text file contains a NUL character, which might show up in some editors like vi as a ^@.
The content ends after the final semicolon.
host -t txt ed20240210._domainkey.nashcom.de
ed20240210._domainkey.nashcom.de descriptive text "v=DKIM1; k=ed25519; p=eJoyGyVtGTJOgdmqOvomT+cktetdLShd3ZmoG0oU/2g=;"
host -t txt rsa20240210._domainkey.nashcom.de
rsa20240210._domainkey.nashcom.de descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs/Fs2ZrnS+i247pZgJszL9epUbapmZ4z3QEcLVoGNkPs6Ci8/XKqL5u0mvOZa0RY2I8NOloN71fVZtulL664rTUNfFd4p0PfwDGVLDKoDaZt5c/fE0Wu8uRbp77yAMpewqj9XrgJ5zERa8vi+QKHrF3ccugEVAd3Ofq5kaUGXiwIDAQAB;"
You have to make sure the DNS records are in place and are populated.
This is also important when you update your DKIM keys.
The selector is used when signing the outgoing mail.
The receiving server will use the selector to lookup the public key.
Therefore the new signing key must be already in place and the oder is always to create new keys first and wait until they are propagated in DNS.
Enable DKIM outbout
Once DNS TXT records in place, enable or update your configuration.
One ore more active selectors are configured via notes.ini
set config DKIM_KEY_nashcom.de=ed20240210,rsa20240210
In the next step enable DKIM signing
set config RouterDKIMSigning=1
And finally restart the router task to enable DKIM outbound signing
restart task router
Verify DKIM outbound
Before enabling DKIM, there are a couple of tools you could use to verify your DNS TXT entries are OK.
One of the tools to check your configuration is https://mxtoolbox.com/dkim.aspx
A final test is to send a mail to another mail server with inbound DKIM enabled.
Here is the authentication-results header for a mail received:
Authentication-Results: lab.dnug.eu 1;
spf=pass smtp.mailfrom=xyz@nashcom.de (sender IP 157.90.30.24);
dkim=pass header.s=ed20240210 header.d=nashcom.de;
dkim=pass header.s=rsa20240210 header.d=nashcom.de
Finally here is a screen print of the keys in credstore.nsf
- Comments [5]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}