Assumptions:
- This article assumes you have a fully functioning Customer-Hosted Gateway (GW)
- DKIM selector is GW (default in Gateway Deploy Script)
- The Customer-Hosted GW is performing final delivery
Instructions:
Edit your current values.yaml
file, locate the line below, and enable the following variable:
dkimSigning:
enabled: true
Comment out the following variable and save your changes:
#gatewayTransportMaps: "*=>[smtp-relay.gmail.com]:587"
Create a new shell script with the following contents:
#!/bin/sh # Set the variables gwDomain=${GW_DOMAIN:-customerdomain.com} gwDkimSelector=${GW_DKIM_SELECTOR:-gw} dkimPrivateFile="/tmp/${gwDkimSelector}._domainkey.${gwDomain}.pem" dkimPublicFile="/tmp/${gwDkimSelector}._domainkey.${gwDomain}-public.pem" # Generate the DKIM keys openssl genrsa -out $dkimPrivateFile 1024 openssl rsa -in $dkimPrivateFile -out $dkimPublicFile -pubout -outform PEM # Display the keys echo "DKIM Private Key:" cat $dkimPrivateFile echo "" echo "DKIM Public Key:" cat $dkimPublicFile # Clean up rm $dkimPrivateFile $dkimPublicFile
Save the script as generate_dkim.sh
Make the script executable
chmod +x generate_dkim.sh
Run the script:
./generate_dkim.sh
Copy and add your Public and Private keys to the following line values.yaml file
dkimSigning:
publicKey: |
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChsrU9fXQ0HQOilwMBD75k8Jik
-----END PUBLIC KEY-----
privateKey: |
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKGytT19dDQdA6KX
AwEPvmTwmKTWx4p3IG4/PtXauMJhGTQ/OjV+9kF/dS2I7UdvJJ9fUJOh/zKvFRLZ
PBKydnRK8WGy==
-----END PRIVATE KEY-----
Next, stop, remove, and re-build your GW pods. Send test messages to the GW to ensure proper delivery as well as successful DKIM signing in the email headers.
kubectl delete namespace virtru
kubectl get pods -n virtru
helm install -n virtru -f ./values.yaml gateway ./ --create-namespace
For verification of the MX record, please use the following command on the gateway:
dig yourdomain.com mx
Additionally, to ensure the container cache is updated to reflect any MX record changes, use the commands below:
sudo resolvectl flush-caches
To monitor the logs during tests, the following command can be utilized:
kubectl logs <pods-name> -n virtru -f
DNS Entries:
Read your public key into your terminal and copy only the values between -----BEGIN PUBLIC KEY-----
and -----END PUBLIC KEY-----
Create your DKIM TXT record via your DNS provider's instructions:
- In your DNS, create a TXT record where the @ is gw._domainkey.<yourdomain.com>
- SPF: SOFTFAIL with IP 0.0.0.0 used below can be found in the received email headers
- The value should be as follows:
v=DKIM1; k=rsa; p=<your copied public key>
In your DNS, you will need to add TXT records to reflect each of the public keys you have for the mailing domain(s). An example looks like the below:
Name | Type | Content | TTL |
gw._domainkey | TXT |
v=DKIM1; p=76E629F05F70 9EF665853333 EEC3F5ADE69A 2362BECE4065 8267AB2FC3CB 6CBE |
6000 |
@ | TXT |
v=spf1 ip4:0.0.0.0 -all |
6000 |
_dmarc | TXT |
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; sp=none; aspf=r; adkim=r; |
6000 |