It’s mandatory to set up DKIM for Exchange Server. Every organization should set it up in addition to configuring SPF. Once both are set up, you must add DMARC to complete the setup. All three email authentication protocols (SPF/DKIM/DMARC) need to be in place for every domain. In this article, you will learn how to configure DKIM for Exchange Server.
What is DKIM?
DKIM is an email authentication method designed to detect forged sender addresses in emails. When signing outgoing messages with DKIM, recipients can verify a respective message is from the sender it claims to be from and that the content of the message has not been modified.
There are several advantages to using DKIM to sign your outgoing emails:
- The recipient is able to verify that the message originated from the specified sender
- The recipient is able to verify that the message content (and important headers e.g. the subject) has not been altered
- It lowers the chance of the email being identified as spam, although this is not the primary reason to sign
If a spammer is trying to abuse your domain or email address, using DKIM reduces the chances of spam getting through. Many email servers check for a valid DKIM signature on incoming emails.
Set up DKIM for Exchange Server
There is no built-in option in Exchange Server to set up DKIM. So, you must use a third-party tool on the Exchange Server, which is not regularly updated and has a lot of bugs. The recommended method is to set up DKIM for Exchange Server on the third-party spam filter.
Suppose your third-party spam filter does not have this option. Switch to another one that does. The one I recommend is the SpamBull spam filter. It supports DKIM for all outbound messages. In this article, you will see how to set up DKIM for your domain in Exchange Server.
Step 1. Generate DKIM certificate
- Log in to the SpamBull admin center.
- In the left menu, expand the tab General.
- Click on Domains overview (see Add domain first, if you have not yet added the domain).
- Click on the domain you want to set up DKIM for
- In the left menu of the domain control panel, expand the tab Outgoing.
- Click on DKIM.
- Choose the DKIM key length (we recommend 2048 if your DNS supports it).
Note: Select 1024 bits only when your DNS provider is unable to use a 2048-bit key.
- Enter the DKIM selector: selector1.
- Click on Generate and save new private/public pair.
A key is successfully generated.
Step 2. Add DKIM record in DNS
Once the key has been generated, publish the TXT record to the authoritative DNS server for your domain. Instructions on how you can do this will differ from each domain provider. For assistance, please get in touch with your domain provider.
An example of the DKIM record in the domain’s public DNS:
selector1._domainkey.exoip.comValue:
v=DKIM1; g=*; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXb+jhtB2+AYzoOmSV2PXaQeigNRYlQySKvDCCnsYciKtmCeMIGXfcqxk3L3w6ODqf8KJxX3idZ++AJSKHKXU4rgtkQ43PThtd3wtpF2llS/vK9pkc9Ge/j6+7eXbNXiDWcCW+lmu9QOrnNVnYNjrOVHIGAtzCq3JT9imIChbe55SxOJobT5KHCiwPHYhvEefbCLjMGKMC2PR5JJrQ/P4Y4yfXCMfmKsfdWu4VTlPJWKaAIwF2S5XR50AWRp76XLzR+xY08QOsa81MWlEqcCjqa5Hg9eX/OzrYIOSruIYwIQmSmfQgyB2YvtP+bUS840bW3E8k7GKym1PsmgaSqWdQIDAQAB;This is what the DKIM record looks like in Public DNS:
You added the DKIM record successfully. Wait a couple of minutes for the DNS to be fully propagated.
Step 3. Add DKIM selector in outgoing user
- Make sure you acces the domain control panel. Refer to steps 1-4 of the previous tutorial.
- In the left menu, expand the tab Outgoing.
- Click on Manage users.
- Click the dropdown arrow next to the Username/IP.
- Click on Edit.
- In the DKIM selector field enter: selector1.
- Click Save.
Note: A message can appear with the text: Cannot find DKIM DNS entry (there should be a TXT record at selector1._domainkey.yourdomain.com. If you just added the DKIM record to the public registrar, it may take some time before it’s propagated to all DNS systems. You should try again in a couple of hours.
Any domain that sends using outgoing authentication that has this selector, should sign with this (assuming they do not have their own DKIM).
Step 4. Verify DKIM record
An excellent way to verify the DKIM record is to use a DKIM validator website.
- Go to MxToolbox
- Fill in the domain with the DKIM selector.
- Send an email from the domain to an external domain.
- Verify that the header message shows: dkim=pass (signature was verified).
You successfully set up DKIM for Exchange Server with a third-party spam filter.
That’s it!
Read more: Protect domain from spam, phishers and viruses »
Conclusion
You learned how to configure DKIM for Exchange Server. It’s very important to set up DKIM, in addition to the SPF record which you already have set up for securing the outgoing messages. Without DKIM, your domain is vulnerable to spoofing. Also, all email providers check whether a domain has a valid DKIM record. If not, your message will be rejected or sent to spam and never reach the recipient’s inbox.
Did you enjoy this article? You may also like Stop Exchange Server sending spam. Don’t forget to follow us and share this article.