Overview
This article shares information about configuring DNS records for setting up DKIM in Kerio Connect by adding a DKIM record to your DNS, obtaining DKIM Public Key, creating a short 1024-bit DKIM key, and adding a new Private key to Kerio Connect.
Solution
Adding a DKIM Record to Your DNS
The process of adding a DKIM record to your DNS may vary according to your provider. To add your DKIM public key to DNS, you can:
- Ask your provider to add the record for you; or
- Do it yourself in the DNS administration console.
The public key in Kerio Connect includes two parts:
- Record name (or selector), for example:
mail._domainkey.feelmorelaw.com
. - TXT value, for example:
v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfl0chtL4siFYCrSPxw43fqc4z Oo3N+Il220oK2Cp+NZw9Kuvg8iu2Ua3zfbUnZWvWK4aEeooliRd7SXIhKpXkgkwn AB3DGAQ6+/7UVXf9xOeupr1DqtNwKt/NngC7ZIZyNRPx1HWKleP13UXCD8macUEb bcBhthrnETKoCg8wOwIDAQAB
Please note the following about the DKIM public key:
- The TXT value consists of a single line of text.
- The DKIM public key is the same for all domains on a single server (in a single Kerio Connect).
- The DKIM public key in Kerio Connect is 2048-bit. Some providers may restrict the length of the key (the TXT value).
Note: If a domain includes aliases, add DNS record for DKIM to all aliases.
Obtaining DKIM Public Key in Kerio Connect
- In the administration interface, go to the section Configuration > Domains.
- Double-click your domain and go to the General tab.
- Click the Show public key button. This opens a dialog with your domain public key.
- Copy the text to create your DNS DKIM record. Make sure that the record contains the whole text.
Creating a Short DKIM Public Key
Follow the steps in Unable to add the default 2048-bit DKIM key into DNS.
Adding a New Private Key to Kerio Connect
- Stop the Kerio Connect server.
- Go to the Kerio Connect installation directory folder:
sslcert/dkim
- Copy the generated private key to the private.key file.
Note: It is recommended that you always back up the original private key.
- Start the Kerio Connect server.
Kerio Connect will now show the shorter public key in the domain's configuration. You can now create the DNS DKIM record with the new public key.
Notes:
- If you are generating any new keys using the newer versions of ssh-keygen, then, it might not work. So, it is recommended to use an online key generator tool to generate new private keys. The DKIM public key is generated according to this private key that is used.
- If you use distributed domains, make sure the new private key is available on all servers.
- You can use any text editor to update the private.key file while generating a pair of new public & private key from DKIM wizard.
If you're unable to configure the DKIM public key in Kerio Connect due to errors related to the length of the record and you use a BIND DNS server, follow the steps in Long DKIM public key is not found in DNS records to split the DKIM key.
Resetting the local DKIM key
If, for some reason, you need to change the current DKIM key, or you need to switch it back to 2048-bit length, the steps to achieve this would be:
- Stop the Kerio Connect server.
- Go to the Kerio Connect installation directory folder:
sslcert/dkim
- Rename the
private.key
file to privateprivate.key.bkp
Note: It is recommended that you always back up the original private key.
- Start the Kerio Connect server which will generate a new private DKIM key
- Proceed with Adding new DKIM Record to Your DNS
Testing
Test as per the steps in the 'Testing' section in Adding DKIM and DMARC Records to Kerio Connect.
Information
Please note that Kerio Connect does not support DKIM/DMARC for incoming emails, but only for outgoing messages.
DKIM TXT value cannot be changed to a custom option, as it is hardcoded in the source code. Additionally, please note that Kerio Connect does not support the c=relaxed/relaxed
setting.
Refer to Adding DKIM and DMARC Records to Kerio Connect for more details.