Generate Dkim Public Key Hostgator

From lxadm Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

Check Enable DKIM Signing. Navigate to Certificate tab, enter default in Selector field, and choose 1024 as Key Size. Select Generate Key (auto-populates TXT Record Name and Value) 7. Open Plesk control panel (9. Find Websites & Domain tab of domain name. Expand Advanced Operations menu. DKIM DNS Wizard assists you in creating DNS records for your DKIM Mail Signature. It is based on the specifications of RFC 4871. Enter a domain name like dnswatch.info. The selector is used to identify the public DKIM Key details of the Domain. It is an attribute for the DKIM Signature and is included in the DKIM header of the email. You can use multiple selectors for a single domain in cases where you need to provide Special Signatory Controls for different sets of users. DomainKeys Identified Mail (DKIM) is the successor to DomainKeys (DK). It is a feature that helps to prevent spam by verifying the sender of incoming emails and checking for modifications to the original message. It is recommended that everyone begin using DKIM instead of the older DK.

Generating 1024 bit DKIM key

To generate a DKIM key with openssl, do the following - this will generate you a 1024 bit DKIM key:


Your generated public key will remind something like below:

If you need to supply the public.key in the DNS record as follows, you have to 'convert' it manually to be in one line, i.e.:


In bind/named compatible format, it will look like below TXT record:


Generating 2048 bit DKIM key

Please note that you may want to use a 2048 bit DKIM key - in this case, use the following openssl commands:


However, 2048 bit public DKIM key is too long to fit into one single TXT record - which can be up to 255 characters. Assuming your full public key is as follows:


..you need to split the text field into parts having 255 characters or less:


There are several limitations to 2048 bit DKIM records:

  • While bind/named supports TXT fields being split into several parts, some DNS hostings may still not support it.
  • If the total size of the DNS record is larger than 512 bytes, it will be sent over TCP, not UDP. Some buggy firewalls may not permit DNS packets over TCP.
Retrieved from 'https://lxadm.com/index.php?title=Generating_DKIM_key_with_openssl&oldid=437'

Last week one of the known load balancer company send me an email where sender and recipient email address were my domain’s email addresses on my office 3 65. In the post incident RCA Microsoft told that SPF is not enough for this incident and we should have DKIM enabled for our domains.

Microsoft recommends to create DKIM DNS record along with SPF which adds the digital signature. Check Microsoft TechNet Blog here to learn more.

Overall it is a 2 step process. First is the creation of 2 CNAME records and second is Enabling DKIM in office 365 which will create 2 DKIM TXT record. The key here is learning how to create Cname record.

I am sharing the following steps to enable DKIM record in Office 365.

  • Create 2 CNAME record else you will see the below warning:

    /c-generate-random-encryption-key.html. CNAME record does not exist for this config. Please publish the following two CNAME records first.

    selector1-emaildomainname._domainkey.Tenantename.onmicrosoft.com

    selector2-emaildomainname._domainkey.Tenantename.onmicrosoft.com


  • Login to your office 365 tenant
  • Open the Exchange Admin Center à Protection à DKIM à Select the domain and click Enable


Or

  • Click on Security Policies à DKIM à Select the domain and click Enable



We do not need to rotate the Key. Microsoft does it for us.

For the verification, I had sent an email to MSExchangeGuru.com email address and the successful DKIM validation.


This is how my previous email used to look like.


Dkim Key Format

Even though my sender domain is not onmirosoft.com, it used to pick up our tenant domain. This means it was using the default signature created by Microsoft but it is not 100 secure so you should configure DKIM for your domain.

Now the question is where are my DKIM record. It is simple logic. We created 2 Cname record which are the alias records so it will go to the pointers under Tenantename.onmicrosoft.com which is owned by Microsoft so you can’t see it in your DNS provider list.

There are couple of ways to check them

  • Login to your office 365 à Settings à Domains à Select your domain à Additional Office 365 records.


Dkim Key Generator

Or

  • Open command prompt à Nslookupà Set q=txtà Then type the pointer and enter


  • We can also test the DKIM record working here. http://dkimcore.org/tools/keycheck.html

Just fill like this and click check


YAY! This is a valid DKIM key record


We are done DKIM for Office 365 here. I know some of you will ask to provide a blog for on premise, expect it sooner.

I am also sharing couple of reference here.

How anti spoofing protection works in Office 365 Mail http://aka.ms/AntiSpoofingInOffice365

https://blogs.msdn.microsoft.com/tzink/2016/03/07/a-powershell-script-to-help-you-validate-your-dkim-config-in-office-365/

What Is Public Key

Prabhat Nigam

Microsoft MVP CTO @ Golden Five

Team@MSExchangeGuru