If you require DKIM signing for outbound emails, your organization's DNS record must be populated with the appropriate public key. In order to generate the DKIM Public key, a DNS Authentication: Outbound Signing definition must be created. This allows you to select the appropriate internal domain, and generate the Public DKIM key. This definition will also provide all of the information that needs to be inserted into your domain's DNS entry.
Once Mimecast has validated the new DNS Record TXT entry and a corresponding DNS Authentication: Outbound Signing policy is in place, all outbound messages that meet the policy criteria will be DKIM signed.
Configuring a DNS Authentication Definition
To configure a DNS Authentication definition:
- Log on to the Administration Console.
- Open the Gateway Policy Editor.
- Click on the Definitions drop down. A list of the definition types is displayed.
- Click on the DNS Authentication - Outbound Signing definition type from the list. The list of definitions is displayed.
- Either select the:
- Policy to be changed.
- New DNS Authentication - Outbound Signing button to create a definition.
- Complete the DNS Authentication - Outbound Signing Properties section as follows:
Field Description Description Enter a description for the definition that allows you to easily identify it at a later date. Sign Outbound Messages with DKIM Select this option to enable DNS authentication checks on outbound email. When enabling DKIM signing, the "Domain", "Selector", and "Public Key" fields must be populated. DKIM Key Length
This option allows you configure the key length of the DKIM signature that is to be generated. You will have the choice between creating DKIM keys with the length of 1024 or 2048 bits.
This option is only displayed after an internal domain is selected.Using a DKIM key length of 2048 bits, will exceed the 255 character limit imposed in TXT records. Contact your DNS provider who should be able to assist you in creating the required TXT records.
Domain This field is only displayed if the "Sign Outbound Messages with DKIM" option is selected. Use the Lookup button to select an internal domain. Selector This field is only displayed if the "Sign outbound messages with DKIM" option is selected. Selectors allow a domain to have more than one public key advertised in DNS. The default selector is "mimecastYYYYMMDD". Although this text entry can be adjusted, we recommend regularly switching to a new DNS Authentication policy. For this reason use "YYYYMMDD" in your selector. Public Key This field is only displayed if the "Sign Outbound Messages with DKIM" option is selected.
- Click the Generate button to create the private and public key pairs. The private key is automatically saved in Mimecast, and will not be displayed for security reasons. The public key is displayed in the Public Key field.
- Copy the Public Key value to your clipboard.
- Add the Public Key to the DNS TXT record for 'selector._domainkey.domain' where:
- 'selector' equals the selector you have configured.
- 'domain' equals the domain you are creating the DNS Authentication policy for.
- Click the Check DNS button to perform a DNS TXT lookup for 'selector._domainkey.domain'.
- Compare the string with the published string in the Public Key field.
- Click on the Save and Exit button to save the definition.
Implementing SPF for Outbound Email Delivery
To ensure a successful implementation of SPF with us, include a comprehensive list of our outbound IP addresses in your DNS SPF record. This is a long list (24 distinct IP4 ranges at the time of writing) and new ranges may be added in the future without notice. You can ensure your record is always up to date by including the "_netblocks.mimecast.com" statement.
Some typical examples are suggested below as a starting point for constructing an appropriate record.
|Simple Case||Relaxed configuration which only sends external mail for a given domain via Mimecast.|
|Strict Case||Implements a strict SPF reject for unmatched requests. We recommend testing with the relaxed syntax first.|
|Customers with an Existing SPF Record for a Given Domain||If you've an existing SPF record representing a range of possible senders, these examples show how you can include Mimecast as a legitimate sender.|
|Customers with an Existing SPF Include Record for a Given Domain||Customers with existing SPF records should review their entries to ensure Mimecast servers are referenced only once. Any previous Mimecast references should be removed in favour of _netblocks.mimecast.com. Customers using a domain include mechanism to refer to a DNS entry which already references _netblocks.mimecast.com, need take no further action.|
Creating the DNS Entry
If you wish to implement SPF for your domain, you'll need to create a corresponding TXT DNS record. To check your existing TXT/SPF records, use an available DNS query service. There are many tools for this available on the internet as well as command line applications.