This help section describes the DKIM test and the related settings available under the page in the navigation.
DomainKeys Identified Mail (DKIM) is a crypthograhic approach to email authentication that allows senders to sign outbound emails with a digital signature which then can be verified by recipients using the public key DNS record of the sending domain. Succesful verification of the signature proves that the email has not been altered in transit.
Enable this test on perimeter servers only. Mail transfer agents, including Microsoft® Exchange, may rewrite parts of the message header and/or body before forwarding the email to the next hop device which can break the DKIM signature and cause false positives.
Click the Settings button to configure the DKIM test feature of ORF. More information is available in the DKIM Settings section.
Click the Configure button of the Enforced Signatures group. Use this test to require the email to carry a specific signature, or any signature, if it was sent by a specific party.
| Email address/mask | Selector | Domain | Blacklist if... |
|---|---|---|---|
| [email protected] | * | * | sent by [email protected], but no DKIM signature is found or none of the DKIM signatures pass |
| *.domain.com | * | * | sent by [email protected], but no DKIM signature is found or none of the DKIM signatures pass |
| [email protected] | * | domain.com | sent by [email protected], but no DKIM signature is found or the signature of domain.com fails verification |
| [email protected] | mta01 | signer.com | sent by [email protected], but no DKIM signature is found or the signature of signer.com fails verification using the public key located at mta01._domainkey.signer.com |
Click the Configure button of the User-Defined Signature Blacklist group. Use this test to blacklist emails that are signed by specific signers.
Visit the DKIM website at http://www.dkim.org/.
Please visit the DKIM website to learn more about publishing a DKIM record for your domain.
ORF implements RFC6376 published in September 2011, and its updates (RFC8301, RFC8463, RFC8553, RFC8616).
The optional Authentication-Results header field is not appended to emails. ORF does not sign outbound messages.