Skip to main content
My preferencesSign out
Proofpoint, Inc.

Configuring Outbound DKIM Signing

Situation You are unsure what DKIM signing is, how it works, and how to enable it. You want to use DKIM outbound signing to prevent spoofing of your domain.
Solution

See below for information on:

  • What is DKIM signing?
  • How do I enable outbound DKIM signing?

 

What is DKIM Signing?

 

DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their doimain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. Used in conjunction with DMARC, it provides a mechanism to prevent many types of spoofing of your domain.

Technically, DKIM is pretty straightforward. A keypair is generated with a private and public component. When sending a message through the gateway, the private key is used to add a message header which contains a cryptographic signature. Systems receiving DKIM-signed messages use the domain's public key, which they retrieve using DNS, to validate that the signature is valid and that the message hasn't been tampered with.

For more information on DKIM see our Configuring Inbound Anti-Spoofing Policies KB article

Note:

In Essentials we use 2048 Bit DKIM keys instead of 1024 bit. The longer the key length, the more challenging it is for hackers to break the DKIM key. 2048 bit keys provide enhanced tampering protection with the strongest signing for automated security domain authentication. The 2048 bit keys are secure against forms of cryptographic attacks.

How do I Enable Outbound DKIM signing?

Each domain that sends email can be individually configured to sign outbound messages with DKIM. To enable the feature, you will need to create a new signing key, add the public key to your DNS zone, and verify that its been added correctly.

  1. Navigate to Administration > Account Management > Domains.
  2. Select the domain you want to configure and click the vertical ellipsis on the right-hand side of the Domains table.
  3. Click the option labeled Configure DKIM.clipboard_e501c65ecceb73d2327c6c901b2969479.png
  4. A drawer will appear on the right side of the screen, listing all the currently configured DKIM keys. If this is your first time configuring DKIM, no keys will be listed. Click Create New DKIM Signing Key.
  5. The form will appear asking you to specify a selector. A selector is used to locate the public key in DNS and is not visible to end users. A value is pre-populated, but you can change it if you'd like. Click Create. clipboard_e2fa3c160a39dc5fdd3c5286c5c81316f.png
  6. The resulting screen will give you the hostname and value into your DNS zone. You typically do this on your domain registrar's website (GoDaddy, Dotster, Namecheap, etc.) 

    You are also given an opportunity to save the private key to a secure location, in case you need it in the future. This is the only time this value will be displayed.

    clipboard_ec47f5790562406e48e71e4e04322d8f5.png
  7. Once you've made the addition to your DNS zone, Proofpoint Essentials will need to validate that the record was added correctly. To do so, click the Verify Key button in the key's context menu.clipboard_eaba65a73b2b65458226776bb617d0f8d.png
  8. Once the key is successfully verified, outbound DKIM signing is automatically enabled for this domain. You can disable signing at any time by using the vertical ellipsis on the right-hand side of the Domains table. Click the option labelled Disable DKIM.

If you are getting an error from your DNS provider that your key is too long and they need a 1024 bit key, Proofpoint Essentials only supports 2048-bit keys. You can use tools to split the DNS record. We don't care what tools you use. One tool for example is https://www.mailhardener.com/tools/d...ecord-splitter. It can take the 2048 and break it down if the DNS provider has a 1024 limit.