How To Configure Zimbra DKIM to Sign Outgoing Emails? | Zimbra

DKIM or DomainKeys Identified Mail is an email authentication method that tries to identify email spoofing attempts (creation of email messages with a forged sender address). DKIM enables you as the receiver of the email to verify that an email claiming to be from a specific domain is actually authorized by the owner of that domain. It is done with the help of a digital signature, tied to a domain name, for each sent email. This can be verified by looking up the sender’s public key published in the DNS.

In Zimbra, DKIM can be used both to check incoming emails and to sign outgoing emails. This guide shows you how to configure Zimbra to sign outgoing emails using DKIM.

How to Configure DKIM for Signing Outgoing Emails

Configuring DKIM for signing outgoing emails will increase the reputation of your emails since the receiving server would be able to verify your email DKIM record. In this section, we configure the OpenDKIM to sign outgoing emails.

To set up DKIM for signing outgoing emails, you need first to obtain the DKIM data then add them to your DNS.

1. Obtain your DKIM data

If your domain does not currently have DKIM enabled, you can add DKIM data with

/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

If your domain currently have DKIM enabled, you can update DKIM data with

DKIM Data added to LDAP for domain example.com with selector 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB
 Public key to enter into DNS:
 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;k=rsa;
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
 /6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB for example.com

You will need these data

• The Selector which is the string before ._domainkey, in my case 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB,
• The Version which is indicated with v= in my case v=DKIM1,
• The Key type which is indicated with k= in my case k=rsa,
• The Public key which is indicated with p= in my case p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ/6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB

2. Add your DKIM data to the DNS

• Access your DNS provider, for example, GoDaddy, Network Solutions, etc.
• Access your DNS Management or something like name server management.
• Add a new TXT entry.
• Set the Record Type to TXT.
• Insert your selector with ._domainkey like yourSelector._domainkey in the Hostname field.
• Insert your version, key type, and public key separated by ; in the form of v=...;k=...;p=... in the TXT Value field.
• Assign the Time to Live (TTL), for example, let’s use 3600s.
• Save the entry.

How to Verify Your Outgoing Emails DKIM Signature

The next step would be testing your DKIM to see if it works. To do so, please see How to Verify Your DKIM Signature.