DKIM DomainKeys Identified Mail

DKIM is a mechanism that checks if an incoming email's FROM address is forged.

DKIM adds a special header to every outbound email, which can be used to confirm the message authenticity. Xeams can not only checks the DKIM signature of an incoming email from the Internet, it can also sign an outbound message with a private key that can be verified by a receiving server.

Enabling DKIM in Xeams

  • Login as admin to Xeams' web interface
  • Click DKIM under Filter Management
  • The following page has two sections:
    • You can specify a spam score on the left hand side for incoming emails. This score is assigned to a message fails a DKIM authentication. This score is only assigned if a signature is found but is invalid.
    • Specify domains that you would like to sign when sending outbound emails on the right hand side

Preparing your domain for outbound messages

To add your domain, simply specify your domain name along with a selector value. Selector can be any arbitrary value and its purpose is to differentiate multiple SMTP Servers in your company. Consider a scenario where you have two SMTP servers: Xeams and Exchange and outbound emails are sent from both of them. In this case you can use the word "xeams" for the Selector in Xeams and "Exchange" for the other SMTP server.

Xeams automatically creates a pair of Private/Public keys in the background. These keys are saved in $INSTALL_DIR\config\dkimKeys folder. It is strongly recommended you backup this folder. To view the public key value for your domain, click View Details for the desired domain name.

When a domain is added in Xeams, it remains Inactive until the public key is entered in your DNS server. This is done by design to avoid signing an outbound email without a DNS entry.

How to add your public key in a DNS server

You will need to add a TXT record in your DNS server. The host name for this TXT record must be:
YourSelector._domainKey.YourDomain.com
Copy/paste the value of your public key from the "View Details" screen for your domain.

Troubleshooting Common Problems

Xeams Display a Thumbs Down Icon
Xeams will perform a DNS lookup to see if your DKIM key exists in DNS. If the key is not found, you will see a thumbs down () icon in the active column.

This happens if Xeams is not able to query your DNS server. Click Tools (the word Tools itself) in Xeams Admin Console. This brings up a screen allowing you to perform DNS lookups. Try performing DNS lookup on YourSelector._domainKey.YourDomain.com and ensure it returns your DKIM key.

If not, ask yourself if you use two DNS servers, one publicly and another for LAN. Often administrators modify the zone in their public DNS but forget to add the DKIM key in their local DNS server.


DKIM signature is not trusted
DKIM signature is based on the body of the email. A slight modification in the body AFTER dkim key has been generated will cause problems. Often emails go through intermediate SMTP servers before reaching the recipient's SMTP. Consider the following example:
Exchange → Xeams → AnotherSmtp → Recipient's SMTP
In the above example, outbound emails are forced to go through the AnotherSmtp before reaching its final destination. Assume the goal of this extra SMTP server is to add a custom privacy note at the end of every message. Since the message has now been modified AFTER Xeams created the DKIM signature, it will become invalid and the recipient's server will consider that a forgery.

Therefore, it is important that DKIM signature is added by the last SMTP server in your network.