Target
This is for customers using HENNGE Email DLP's DKIM feature.
Purpose
This is to configure the use of DKIM feature in HENNGE Email DLP.
Notes
The content of this article is based on the product's content as of November 2024 and January be subject to change without notice.
Frequently Asked Questions
What is DKIM, and why should you register it?
DKIM is a type of sender domain authentication that detects email tampering. By registering DKIM records in DNS and enabling DKIM signing on the sending email server, an electronic signature for DKIM authentication is added to the email header upon sending. The receiving email server verifies this electronic signature to confirm that the email has not been tampered with.
In DKIM authentication, the receiving mail server queries the DNS managing the domain of the sender address to verify if the DKIM signature is legitimate and not prone to spoofing. By utilizing DKIM in this manner, email spoofing can be prevented, thereby enhancing email security.
In recent years, major email service providers such as Google strongly recommend passing DKIM authentication for security reasons. Failure to pass DKIM authentication may result in emails being rejected by the receiving mail server or being classified as spam.
What is a DKIM Selector?
A DKIM selector is used to indicate to a mail server attempting DKIM authentication where the necessary public key is stored when performing DKIM authentication.
It is used in conjunction with DKIM records.
Is it necessary to configure DKIM settings in Google Workspace/Microsoft 365 even if it's enabled in HENNGE Email DLP?
That's correct. If you wish to enable DKIM signatures for outgoing emails, please configure it in HENNGE Email DLP, which acts as the "outermost email server." (Adding DKIM signatures is commonly done on the outermost mail server.)
Additionally, if DKIM signatures are not configured in HENNGE Email DLP and emails with attachments signed by Google Workspace / Microsoft 365's DKIM are automatically ZIP encrypted or URL-encrypted with Secure Download in HENNGE Email DLP, there is a possibility that they may be considered tampered with during DKIM authentication by the receiving mail server.
Will setting up DKIM records affect all outgoing emails, and is it a mandatory task?
The impact of setting up DKIM settings will only affect environments that perform DKIM checks. In general, email servers use various methods, such as SPF records, content checks, and reputation verification, for spam checks, depending on the receiving environment.
However, DKIM settings are expected to be mandatory when using HENNGE Email DLP in the future.
Is it possible to have DKIM records in both Microsoft 365/Google Workspace and HENNGE Email DLP?
Yes, it's possible. By using different DKIM selectors, you can set multiple public keys in TXT records.
Detailed Procedure and Explanation
1. In the HENNGE Email DLP management interface, select [Tenant Settings] → [DKIM Settings], and click the [Add New Selector] button.
2. When the [Create DKIM Selector] window appears, enter the following information:
- Selector Name: Enter any value of your choice. You can input Capital/Small English character, numeric character, hyphen ( - ), dot ( . ).
- Key Length: Select either [1024 bits] or [2048 bits].
Note: It is recommended to issue with 1024 bits as there may be cases where the string issued with a 2048-bit key length cannot be set in a single line in the DNS.
3. After selecting the created selector, add the displayed value to the DNS TXT record.
You can copy the cursor to the TXT record name and value.
Note: By default, the [t=y;] (test mode) tag is displayed in the TXT record value. If you intend to use it in production, please remove [t=y;].
If you want to activate DKIM records for multiple domains, you need to add this TXT record to the DNS of each domain.
The method of adding TXT records on DNS servers may vary depending on the server. Please check with your DNS server provider for details.
4. Open the Command Prompt (Windows) or Terminal (Mac OS) and execute the command to confirm that the value of the set TXT record is displayed.
nslookup -type=TXT <selector name>._domainkey.<added domain> 8.8.8.8
C:\Windows\system32>nslookup -type=TXT <selector name>._domainkey.<added domain> 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
<selector name>._domainkey.<added domain>. text =
"v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3<omitted>dPx4QIDAQAB"
dig +short @8.8.8.8 <selector name>._domainkey.<added domain> txt
dig +short @8.8.8.8 <selector name>._domainkey.<added domain> txt
"v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3<omitted>dPx4QIDAQAB"
5. After registering the TXT record in DNS, select [Activate].
6. Enter the domain for DKIM registration in [Domain Name] and click [Activate].
If you want to register for multiple domains, selecting [Add Domain] will add additional fields.
※If you want to add domains to an existing selector, please refer to the following article.