Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Enable DKIM for Domino

Daniel Nashed  10 February 2024 19:23:27

Enable DKIM for Domino


- DKIM inbound is supported starting with Domino 12.0.1

- DKIM outbound is supported starting with Domino 12.0.2


Now the first providers raise the bar for sending mails.

This might not only be relevant for mass mail.


Here is a short write up enabling DKIM for RSA and Ed25519 keys.


-- Daniel



Inbound DKIM is just a setting in the configuration document.

Outgoing DKIM requires a signing key. RSA and Ed25519 are supported in parallel. Since not every server supports modern Ed25519 keys, it's a good idea to enable both key types.


For DKIM signing a RSA 1024 key should be sufficient.

There isn't a UI. For enabling DKIM output. This isn't complicated, but requires to set DNS TXT records.


Before you can start creating a key using the Domino server keymgmt commands, make sure you have setup a credential store.

The NEK key to encrypt the data in the credstore.nsf require a key.



Create credstore.nsf key and database


keymgmt create nek nashcom

keymgmt create credstore nashcom



Create signing keys


keymgmt create DKIM nashcom.de ed20240210 ed25519

keymgmt create DKIM nashcom.de rsa20240210 rsa 1024



Export keys


Next export the public key info into a text file.


keymgmt export DKIM DNS nashcom.de ed20240210 nashcom_de_ed20240210.txt

keymgmt export DKIM DNS nashcom.de rsa20240210 nashcom_de_rsa20240210.txt



Create DNS text records


The text files contain the DNS TXT record, which you use to create a DNS TXT record.


The name of the DNX TXT record is the selector puls "._domainkey." followed by the domain like shown in the following examples.


host -t txt ed20240210._domainkey.nashcom.de

v=DKIM1; k=ed25519; p=eJoyGyVtGTJOgdmqOvomT+cktetdLShd3ZmoG0oU/2g=;



host -t txt rsa20240210._domainkey.nashcom.de

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs/Fs2ZrnS+i247pZgJszL9epUbapmZ4z3QEcLVoGNkPs6Ci8/XKqL5u0mvOZa0RY2I8NOloN71fVZtulL664rTUNfFd4p0PfwDGVLDKoDaZt5c/fE0Wu8uRbp77yAMpewqj9XrgJ5zERa8vi+QKHrF3ccugEVAd3Ofq5kaUGXiwIDAQAB;



You have to make sure the DNS records are in place and are populated.

This is also important when you update your DKIM keys.


The selector is used when signing the outgoing mail.

The receiving server will use the selector to lookup the public key.


Therefore the new signing key must be already in place and the oder is always to create new keys first and wait until they are propagated in DNS.



Enable DKIM outbout


Once DNS TXT records in place, enable or update your configuration.

One ore more active selectors are configured via notes.ini


set config DKIM_KEY_nashcom.de=ed20240210,rsa20240210


In the next step enable DKIM signing


set config RouterDKIMSigning=1


And finally restart the router task to enable DKIM outbound signing


restart task router



Verify DKIM outbound


Before enabling DKIM, there are a couple of tools you could use to verify your DNS TXT entries are OK.

One of the tools to check your configuration is
https://mxtoolbox.com/dkim.aspx

A final test is to send a mail to another mail server with inbound DKIM enabled.

Here is the authentication-results header for a mail received:


Authentication-Results: lab.dnug.eu 1;

spf=pass smtp.mailfrom=xyz@nashcom.de (sender IP 157.90.30.24);

dkim=pass header.s=ed20240210 header.d=nashcom.de;

dkim=pass header.s=rsa20240210 header.d=nashcom.de



Finally here is a screen print of the keys in credstore.nsf


Image:Enable DKIM  for Domino
Comments

1Thorsten Ebers  11.02.2024 19:59:38  Enable DKIM for Domino

Hi Daniel, why export the private key ? is it not the public key ?

br Thorsten

2Daniel Nashed  12.02.2024 9:11:40  Enable DKIM for Domino

@Thorsten, ooops good catch. Written too fast ..

Of course this is the public key info.. Thanks! Corrected

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]