Enable DKIM for Domino
Daniel Nashed – 10 February 2024 19:23:27
Enable DKIM for Domino
- DKIM inbound is supported starting with Domino 12.0.1
- DKIM outbound is supported starting with Domino 12.0.2
Now the first providers raise the bar for sending mails.
This might not only be relevant for mass mail.
Here is a short write up enabling DKIM for RSA and Ed25519 keys.
-- Daniel
Inbound DKIM is just a setting in the configuration document.
Outgoing DKIM requires a signing key. RSA and Ed25519 are supported in parallel. Since not every server supports modern Ed25519 keys, it's a good idea to enable both key types.
For DKIM signing a RSA 1024 key should be sufficient.
There isn't a UI. For enabling DKIM output. This isn't complicated, but requires to set DNS TXT records.
Before you can start creating a key using the Domino server keymgmt commands, make sure you have setup a credential store.
The NEK key to encrypt the data in the credstore.nsf require a key.
Create credstore.nsf key and database
keymgmt create nek nashcom
keymgmt create credstore nashcom
Create signing keys
keymgmt create DKIM nashcom.de ed20240210 ed25519
keymgmt create DKIM nashcom.de rsa20240210 rsa 1024
Export keys
Next export the public key info into a text file.
keymgmt export DKIM DNS nashcom.de ed20240210 nashcom_de_ed20240210.txt
keymgmt export DKIM DNS nashcom.de rsa20240210 nashcom_de_rsa20240210.txt
Create DNS text records
The text files contain the DNS TXT record, which you use to create a DNS TXT record.
The name of the DNX TXT record is the selector puls "._domainkey." followed by the domain like shown in the following examples.
host -t txt ed20240210._domainkey.nashcom.de
v=DKIM1; k=ed25519; p=eJoyGyVtGTJOgdmqOvomT+cktetdLShd3ZmoG0oU/2g=;
host -t txt rsa20240210._domainkey.nashcom.de
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs/Fs2ZrnS+i247pZgJszL9epUbapmZ4z3QEcLVoGNkPs6Ci8/XKqL5u0mvOZa0RY2I8NOloN71fVZtulL664rTUNfFd4p0PfwDGVLDKoDaZt5c/fE0Wu8uRbp77yAMpewqj9XrgJ5zERa8vi+QKHrF3ccugEVAd3Ofq5kaUGXiwIDAQAB;
You have to make sure the DNS records are in place and are populated.
This is also important when you update your DKIM keys.
The selector is used when signing the outgoing mail.
The receiving server will use the selector to lookup the public key.
Therefore the new signing key must be already in place and the oder is always to create new keys first and wait until they are propagated in DNS.
Enable DKIM outbout
Once DNS TXT records in place, enable or update your configuration.
One ore more active selectors are configured via notes.ini
set config DKIM_KEY_nashcom.de=ed20240210,rsa20240210
In the next step enable DKIM signing
set config RouterDKIMSigning=1
And finally restart the router task to enable DKIM outbound signing
restart task router
Verify DKIM outbound
Before enabling DKIM, there are a couple of tools you could use to verify your DNS TXT entries are OK.
One of the tools to check your configuration is https://mxtoolbox.com/dkim.aspx
A final test is to send a mail to another mail server with inbound DKIM enabled.
Here is the authentication-results header for a mail received:
Authentication-Results: lab.dnug.eu 1;
spf=pass smtp.mailfrom=xyz@nashcom.de (sender IP 157.90.30.24);
dkim=pass header.s=ed20240210 header.d=nashcom.de;
dkim=pass header.s=rsa20240210 header.d=nashcom.de
Finally here is a screen print of the keys in credstore.nsf
- Comments [5]
1Thorsten Ebers 11.02.2024 19:59:38 Enable DKIM for Domino
Hi Daniel, why export the private key ? is it not the public key ?
br Thorsten
2Daniel Nashed 12.02.2024 9:11:40 Enable DKIM for Domino
@Thorsten, ooops good catch. Written too fast ..
Of course this is the public key info.. Thanks! Corrected
3Anja 26.02.2024 7:42:13 DKIM for Domino with Lets encrypt
Hi Daniel,
Many thanks for your detailed explanation. However, it is not yet clear to me, if I need to manually update the DNS each time out Let’s Encrypt certificate is updated.
We configured the certificate updates in the certstore.nsf and added the authorization token of our DNS provider (Cloudflare) there also. Now I would expect that Domino would update the DKIM key on the server and in the DNS automatically after updating the Let’s Encrypt certificate, but this seems not to happen.
After the initial DKIM configuration everything was working correct and now mxtoolbox tells me that the DKIM header is missing and the servers (cluster) have multiple error messages in the log about wrong keys etc.
How can I fix this? Do I always need to manually follow the whole process described in you post again after the Let’s Encrypt certificate is automatically updated?
Sorry for this long comment but I am somehow lost :-(
Anja
4Daniel Nashed 26.02.2024 14:24:08 DKIM for Domino with Lets encrypt
Hi Anja,
DKIM keys and TLS Credentials for a Domino server for HTTPS, SMTPS etc are complete different animals.
TLS Credentials are a private key and a certificate + chain.
DKIM keys are private keys on your end and public keys published to a DNS record.
By coincident the ACME protocol also uses DNS TXT records for confirming DNS-01 challenges.
Great that the Cloudflare integration works for you!
-- Daniel
5Ralf Kühnbaum-Grashorn 11.03.2024 16:47:46 Enable DKIM for Domino
Hi Daniel,
what about DKIM-Alignment for mail-in-databases sending with email-addresses with different domains.
Since:
In order for an email to be considered DKIM aligned, the authenticated signing domain of at least one of the DKIM keys in the email headers must match the user-visible From address of the email ( also known as the RFC5322. From )
Obviously Domino does not align to the FROM.Field rather than from the SENDER-FIELD, containing the Internet-Address of the sending Notes-User. the dkim-key of this domain is used instead of the address in the FROM-Field (which matters exclusively).
Any idea to get this running? I read the HCL documentation up and down. It succeeds with alternate FROM-Adresses within subdomains of the Internetadress-domain, but not with totally different ones (differing in the domain-part of the address, right-hand from the @-sign).
Thanks for your wonderful, inspiring and helpful blog. As a relative newbie in the Domino world it helped me getting around the occuring stumbling blocks.
Regards
Ralf