Requirements

  1. Access to the Email Security Appliance (ESA).
  2. Access to DNS to add/remove TXT records.

Ensure that DKIM signing is off

Before we make any changes, we want to ensure that DKIM signing is off in all mail flow policies. This will allow us to configure DKIM signing without any impact to mail flow:

  1. Go to Mail Policies > Mail Flow Policies.
  2. Go to each mail flow policy and ensure that "Domain Key/DKIM Signing" is set to "Off."

Create a DKIM signing key

You will first need to create a new DKIM signing key on the ESA:

  1. Go to Mail Policies > Signing Keys and select "Add Key..."
  2. Name the DKIM key and either generate a new private key or paste in an existing one.

    Note: In most cases, it's recommended that you choose a 2048 bits private key size.

  3. Commit the changes.

Generate a new DKIM signing profile and publish the DNS record to DNS

Next, you will need to create a new DKIM signing profile, generate a DKIM DNS record from that DKIM signing profile and publish that record to DNS:

  1. Go to Mail Policies > Signing Profiles and click "Add Profile..."
    1. Give the profile a descriptive name in the field "Profile Name."
    2. Enter your domain in the field "Domain Name."
    3. Enter a new selector string into the field "Selector."

      Note: The selector is an arbitrary string that is used to allow multiple DKIM DNS records for a given domain.

    4. Select the DKIM signing key created in the previous section in the field "Signing Key."
    5. Click Submit.
  2. From here, click "Generate" in the column "DNS Text Record" for the signing profile you just created and copy the DNS record that is generated. It should look similar to the following:
    selector2._domainkey.example.com. IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMaX6wMAk4iQoLNWiEkj0BrIRMDHXQ7743OQUOYZQqEXSs+jMGomOknAZJpjR8TwmYHVPbD+30QRw0qEiRY3hYcmKOCWZ/hTo+NQ8qj1CSc1LTMdV0HWAi2AGsVOT8BdFHkyxg40oyGWgktzc1q7zIgWM8usHfKVWFzYgnattNzyEqHsfI7lGilz5gdHBOvmF8LrDSfN" "KtGrTtvIxJM8pWeJm6pg6TM/cy0FypS2azkrl9riJcWWDvu38JXFL/eeYjGnB1zQeR5Pnbc3sVJd3cGaWx1bWjepyNQZ1PrS6Zwr7ZxSRa316Oxc36uCid5JAq0z+IcH4KkHqUueSGuGhwIDAQAB;"
  3. Commit the changes.
  4. Submit the DKIM DNS TXT record in step 2 to DNS.
  5. Wait until the DKIM DNS TXT record has been fully propagated.
  6. Go to Mail Policies > Signing Profiles.
  7. Under the column "Test Profile", click "Test" for the new DKIM signing profile. If the test is successful, continue with this guide. If not, confirm that the DKIM DNS TXT record has been fully propagated.

Turn DKIM signing on

Now that the ESA is configured to DKIM sign messages, we can turn DKIM signing on:

  1. Go to Mail Policies > Mail Flow Policies.
  2. Go to each mail flow policy that has the "Connection Behavior" of "Relay" and turn "Domain Key/DKIM Signing" to "On."

    Note: By default, the only mail flow policy with a "Connection Behavior" of "Relay" is the mail flow policy called "Relayed." The important thing to remember here is that we only want to DKIM sign messages that are outgoing.

  3. Commit the changes.

Test mail flow to confirm DKIM passes