Lets see how to Implement DKIM Signing using IronPort. You need to enable signing for all domains. In my case i had to do it one by one. So that I can have smooth implementation of DKIM and DMARC

I have a lot of business units with a lot of domains. We really don’t want to have different signing keys for each and we want to share the keys with the primary domain. Other wise you can keep creating signing keys and assign them on each domain . Still its going to work the same.To Share the same domain keys you need to create a CNAME of every other domain to the primary domain.

see Implementing SPF DKIM DMARC BIMI Records for more details. Lets see how to generate other records before getting into the article.

Mail Policies – Signing Keys
Click Add Key
Using 1024 Bit key length

Submit and Commit. It will not affect anything as we haven’t created signing profile yet.

Go to mail Policies – Signing Profiles (Don’t commit anything as it may bring your mail flow down if your Domain Key (DKIM) dns is not propagated yet it happens when your RELAYED connector signing is Turned ON already)
In the Domain Signing Profiles section, click Add Profile

Make sure

• DKIM Signing of System Generate Messages – ON
• Use From header for DKIM Signing – ON

Enter a name for the signing profile
Select DKIM as the Domain Key Type
Enter the domain name
Use s1 as the selector (Always use selectors good for key rotation)
Select relaxed for the header canonicalization (This allows for variations in whitespace)
Select relaxed for the body canonicalization (This allows for variations in whitespace)
Select the signing key
Header to Sign – Standard . This configures the gateway to only sign the
following headers, so that DKIM will still pass when other mail systems add other, non-standard
headers in transit (e.g. debugging headers)

Specify Whole Body Implied for body signing
Uncheck all tags to include in the signature
Leave the users field blank
Click Submit

Now for the primary domain. My TXT Record shows like below.

s1._domainkey.azure365pro.com TXT v=DKIM1; k=rsa; p=MIGfMAGGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9ymGGGGf4tkKeTYO3OakAdgR94QcuvYhFqIvC7qngxG32c71dX9kdGWGGGG0d7zfL0ifFdhtCsnhdokOv5PLLTQYl3cU0cwFSMP1iv+7SJAxXhD/xNs1Yd/VWm6vgO7GnGjxQ0xFFicj6D8+2CEcONkZm0mWwokSBZ5/b2cFBwIDAQAB

For my other domains pointing to root domain –

 s1._domainkey.careexchange.in CNAME s1._domainkey.azure365pro.com 

Create a Signing Profile

DKIM Signing of System Generated Messages: ON

Use From Header for DKIM Signing: ON

I have always leave the DNS records created for 1 to 2 days and start signing the domains on the live environment.

Click on Test to verify – Published public key matches domain profile.

Enable signing for outgoing mail ( It will sign only for the domains configured in the signing profiles other domains will stay without signing(unaffected))

1. Go to Mail Policies> Mail Flow Policies
2. Click on the RELAYED (Outgoing) mail flow policy (or create it if it does not exist)
3. In the Security Features section, set Domain Keys/DKIM Signing to On
4. Click Submit

Enable signing for bounce and delay messages

1. Go to Network> Bounce Profiles
2. Edit the bounce profile associated with the public listener where you will send signed outbound
messages (e.g. Default)
3. Set Enable Use Domain Key Signing for Bounce and Delay Messages to Yes
4. Click Submit

Login to Putty _ Run Version

Get the serial numbers and Add Licenses if its not added in the manage licenes console.

Choose the Appliance which you want to migrate and click on licenses _ move licenses _ Share Licenses _ Get activation Code

Choose Product _ Iron Port Product – SW Bundles

Enter the last part of the serial number and choose destination appliance type Virtual

Leave the target appliance number empty and enter the email address and Click on request code.

Choose  licenses _ move licenses _ Share Licenses _ Use activation Code _ Enter the received activation code.

Click on Get License _

Once you receive the license . Download the same version of the virtual appliance and deploy the OVF Template with Thin Provision in my case.

there are different variety of appliances based on sizes . you can choose the appliance based on the user base. it should not affect your license .as your license is on user and feature based and not on the appliance sizing.

I had to download 11.0.3 as it was C170 Appliance.

Default

username admin

password  ironport

run interfaceconfig to get the ips configured

Configure IPs

Once interface is configured you putty to it using default cred and run loadlicense copy the license from the xml file you received.

Remove the appliance from the cluster using clusterconfig _ removemachine

and then take the copy of config file

Login to the existing hardware appliance _ system configuration _ Download the configuration in plain text

Take a copy of Hardware Config File  – 2 Network

Take a copy of Virtual Config File – 3 Network

Copy pasted this part and replaced from hardware configure file and imported to the virtual appliance.

Trying to upgrade and make it to the same version of the cluster.

Error:  Failure downloading upgrade list: received invalid update manifest response
Check where the server is pointing to for pulling the list of updates:

Run the following commands via the CLI:
updateconfig
dynamichost
update-manifests.sco.cisco.com:443
commit

While joining back to cluster

logconfig _ hostkeyconfig _ delete the keys Try again.

Do the same or the all the physical Iron port appliances

Do the same for Centralized management appliance if your using the same IP and Name and click on submit to verify and add the appliances again. if you wish to upgrade the virtual appliances you need to remove the hardware appliances from the cluster as the virtual appliances can update to the latest version but not the old hardware (All versions need to be same in ironport cluster)