DKIM Implementation Project Plan

DKIM Email Signing for Sending Email

A simple steps and project plan

1. Preparatiion
1. Buy a email gateway capable to do the signing
2. I use McAfee Email Gateway (MEG).  It has built in support.  Just enable it (instruction)
3. Other may consider sendmail + OpenDKIM.  I have no experience in this.
4. For MEG, it can generate the private key and public key.  Just generate the key pairs and export the public key.  Copy the public key to notepad.
5. Use online tools to generate DNS TXT record.
6. Publish the DNS TXT record in DKIM testing mode (t=y)
7. Test the DKIM signature
1. DKIM testing by Email Architect
2. Send an email to checkmyauth@auth.returnpath.net
3. Send test mail to major email service provider and client, test out if DKIM signature is found and confirmed by their email gateway
2. Implementation
1. If pass, change the DKIM DNS record from "testing mode" to "production mode"
2. If not pass, try the following:
1. Reduce the number of header fields for signing
2. Disable email disclaimer adding at email gateway (since this may temper the email body and make the email body signing not work)
3. check if any email gateway along the path have modified the email (e.g. add disclaimer, add header, etc)
4. canonicalization method - change from simple to relaxed, or vice versa
3. Monitoring
1. regular test mail to test if email is considered as DKIM check failure .
4. Enhancement
1. Consider change key pair periodically