Saturday , April 4 2020

Implementing DKIM in IronPort

Lets see how to Implement DKIM Signing using IronPort. You need to enable signing for all domains. In my case i had to do it one by one. So that I can have smooth implementation of DKIM and DMARC

I have a lot of business units with a lot of domains. We really don’t want to have different signing keys for each and we want to share the keys with the primary domain. Other wise you can keep creating signing keys and assign them on each domain . Still its going to work the same.To Share the same domain keys you need to create a CNAME of every other domain to the primary domain.

see Implementing SPF DKIM DMARC BIMI Records for more details. Lets see how to generate other records before getting into the article.

Mail Policies – Signing Keys
Click Add Key
Using 1024 Bit key length

Submit and Commit. It will not affect anything as we haven’t created signing profile yet.

image

Go to mail Policies – Signing Profiles (Don’t commit anything as it may bring your mail flow down if your Domain Key (DKIM) dns is not propagated yet it happens when your RELAYED connector signing is Turned ON already)
In the Domain Signing Profiles section, click Add Profile

Make sure

  • DKIM Signing of System Generate Messages – ON
  • Use From header for DKIM Signing – ON
image

Enter a name for the signing profile
Select DKIM as the Domain Key Type
Enter the domain name
Use s1 as the selector (Always use selectors good for key rotation)
Select relaxed for the header canonicalization (This allows for variations in whitespace)
Select relaxed for the body canonicalization (This allows for variations in whitespace)
Select the signing key
Header to Sign – Standard . This configures the gateway to only sign the
following headers, so that DKIM will still pass when other mail systems add other, non-standard
headers in transit (e.g. debugging headers)

Specify Whole Body Implied for body signing
Uncheck all tags to include in the signature
Leave the users field blank
Click Submit

image

Now for the primary domain. My TXT Record shows like below.

s1._domainkey.azure365pro.com TXT v=DKIM1; k=rsa; p=MIGfMAGGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9ymGGGGf4tkKeTYO3OakAdgR94QcuvYhFqIvC7qngxG32c71dX9kdGWGGGG0d7zfL0ifFdhtCsnhdokOv5PLLTQYl3cU0cwFSMP1iv+7SJAxXhD/xNs1Yd/VWm6vgO7GnGjxQ0xFFicj6D8+2CEcONkZm0mWwokSBZ5/b2cFBwIDAQAB

For my other domains pointing to root domain –

 s1._domainkey.careexchange.in CNAME s1._domainkey.azure365pro.com 
image

Create a Signing Profile

DKIM Signing of System Generated Messages: ON

Use From Header for DKIM Signing: ON

image

I have always leave the DNS records created for 1 to 2 days and start signing the domains on the live environment.

Click on Test to verify – Published public key matches domain profile.

image

Enable signing for outgoing mail ( It will sign only for the domains configured in the signing profiles other domains will stay without signing(unaffected))

1. Go to Mail Policies> Mail Flow Policies
2. Click on the RELAYED (Outgoing) mail flow policy (or create it if it does not exist)
3. In the Security Features section, set Domain Keys/DKIM Signing to On
4. Click Submit

image

Enable signing for bounce and delay messages

1. Go to Network> Bounce Profiles
2. Edit the bounce profile associated with the public listener where you will send signed outbound
messages (e.g. Default)
3. Set Enable Use Domain Key Signing for Bounce and Delay Messages to Yes
4. Click Submit

image

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Some Mails Getting Converted to Chinese Characters

Some Emails in Outlook 2016 will Convert to Chinese Characters after reading some after archiving …

Leave a Reply

Your email address will not be published.