37 C
Monday, July 22, 2024

Implementing DKIM in IronPort

Lets see how to Implement DKIM Signing using IronPort. You need to enable signing for all domains. In my case i had to do it one by one. So that I can have smooth implementation of DKIM and DMARC

I have a lot of business units with a lot of domains. We really don’t want to have different signing keys for each and we want to share the keys with the primary domain. Other wise you can keep creating signing keys and assign them on each domain . Still its going to work the same.To Share the same domain keys you need to create a CNAME of every other domain to the primary domain.

see Implementing SPF DKIM DMARC BIMI Records for more details. Lets see how to generate other records before getting into the article.

Mail Policies – Signing Keys
Click Add Key
Using 1024 Bit key length

Submit and Commit. It will not affect anything as we haven’t created signing profile yet.


Go to mail Policies – Signing Profiles (Don’t commit anything as it may bring your mail flow down if your Domain Key (DKIM) dns is not propagated yet it happens when your RELAYED connector signing is Turned ON already)
In the Domain Signing Profiles section, click Add Profile

Make sure

  • DKIM Signing of System Generate Messages – ON
  • Use From header for DKIM Signing – ON

Enter a name for the signing profile
Select DKIM as the Domain Key Type
Enter the domain name
Use s1 as the selector (Always use selectors good for key rotation)
Select relaxed for the header canonicalization (This allows for variations in whitespace)
Select relaxed for the body canonicalization (This allows for variations in whitespace)
Select the signing key
Header to Sign – Standard . This configures the gateway to only sign the
following headers, so that DKIM will still pass when other mail systems add other, non-standard
headers in transit (e.g. debugging headers)

Specify Whole Body Implied for body signing
Uncheck all tags to include in the signature
Leave the users field blank
Click Submit


Now for the primary domain. My TXT Record shows like below.

s1._domainkey.azure365pro.com TXT v=DKIM1; k=rsa; p=MIGfMAGGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9ymGGGGf4tkKeTYO3OakAdgR94QcuvYhFqIvC7qngxG32c71dX9kdGWGGGG0d7zfL0ifFdhtCsnhdokOv5PLLTQYl3cU0cwFSMP1iv+7SJAxXhD/xNs1Yd/VWm6vgO7GnGjxQ0xFFicj6D8+2CEcONkZm0mWwokSBZ5/b2cFBwIDAQAB

For my other domains pointing to root domain –

 s1._domainkey.careexchange.in CNAME s1._domainkey.azure365pro.com 

Create a Signing Profile

DKIM Signing of System Generated Messages: ON

Use From Header for DKIM Signing: ON


I have always leave the DNS records created for 1 to 2 days and start signing the domains on the live environment.

Click on Test to verify – Published public key matches domain profile.


Enable signing for outgoing mail ( It will sign only for the domains configured in the signing profiles other domains will stay without signing(unaffected))

1. Go to Mail Policies> Mail Flow Policies
2. Click on the RELAYED (Outgoing) mail flow policy (or create it if it does not exist)
3. In the Security Features section, set Domain Keys/DKIM Signing to On
4. Click Submit


Enable signing for bounce and delay messages

1. Go to Network> Bounce Profiles
2. Edit the bounce profile associated with the public listener where you will send signed outbound
messages (e.g. Default)
3. Set Enable Use Domain Key Signing for Bounce and Delay Messages to Yes
4. Click Submit

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles


Please enter your comment!
Please enter your name here

× How can I help you?