Assumptions:
- This article assumes you have a fully functioning Customer-Hosted Gateway (GW)
- DKIM selector is GW (default in Gateway Deploy Script)
- The Customer-Hosted GW is performing final delivery
Instructions:
Edit your current .env
file in the /var/virtru/vg/env
directory, locate the line below and Uncomment the following variable:
GATEWAY_DKIM_DOMAINS=gw._domainkey.<yourdomain.com>
Comment out the following variable and save your changes:
# GATEWAY_TRANSPORT_MAPS=*=>[MX record]:port
In the /var/virtru/vg/dkim
directory, create a new shell script with the following contents:
gwDomain=<yourdomain.com>
gwDkimSelector=gw
dkimPath="/var/virtru/vg/dkim"
dkimPrivateFull="$dkimPath/$gwDkimSelector"
dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem"
dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem"
openssl genrsa -out $dkimPrivateFull 1024
openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM
cd /var/virtru/vg/dkim
chmod 600 *
chmod 644 *
Execute the shell script. Once completed, this shell script will then generate public keys for DKIM use.
Read your public key into your terminal and copy only the values between -----BEGIN PUBLIC KEY-----
and -----END PUBLIC KEY-----
Create your DKIM TXT record via your DNS provider's instructions:
- In your DNS, create a TXT record where the @ is gw._domainkey.<yourdomain.com>
- The value should be as follows:
v=DKIM1; k=rsa; p=<your copied public key>
Next, stop, remove, and re-build your GW container. Send test messages to the GW to ensure proper delivery as well as successful DKIM signing in the email headers.
docker stop <container-name>
docker rm <container-name>
cd /var/virtru/vg/
scripts
sh setup-<container-name>.sh
For verification of the MX record, please use the following command on the gateway:
dig yourdomain.com mx
Additionally, to ensure the container cache is updated to reflect any MX record changes, use the commands below:
sudo resolvectl flush-caches
docker restart <container-id>
To monitor the docker logs during tests, the following command can be utilized:
docker logs -f <container-id>
Multiple Hosts:
If running the Customer-Hosted GW on multiple hosts, copy the created DKIM key over to the additional host(s) as needed. The same DKIM key may be used on the additional GW servers as long as they are all configured to use the same mail domain.
Other Considerations:
In the GW .env
.env files, an example entry for the relevant variable will look like the below if using multiple domains:
# DKIM certificate information
# Values
# If not defined or commented out, the Gateway will not perform any DKIM signing
# Complete record for DKIM signing
# Required: No
# Example:
# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com
GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com,gw._domainkey.exampletwo.com,gw._domainkey.examplethree.com
Variable to update for your Gateways with Inbound Topology:
# Inbound FROM address rewrite.
# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM.
# Required: No
# Default: 1
# Values:
# 1 - Enabled
# 0 - Disabled
GATEWAY_REPLACEMENT_FROM_ENABLED=1
In your DNS, you will need to add TXT records to reflect each of the public keys you have for the mailing domain(s). An example looks like the below:
Name | Type | Content | TTL |
gw._domainkey.example.com | TXT |
v=DKIM1; p=76E629F05F70 9EF665853333 EEC3F5ADE69A 2362BECE4065 8267AB2FC3CB 6CBE |
6000 |