DKIM

The CipherMail gateway can be configured for DKIM signing for email sent to external recipients. DKIM signing should be configured using the cli tool.

You can configure the CipherMail gateway to digitally sign outgoing email messages using DKIM (DomainKeys Identified Mail) when sending to external recipients. DKIM signing adds a digital signature to your emails, which helps receiving mail servers verify that the messages actually came from your domain and haven’t been altered during transmission.

To set up DKIM signing, you need to use the CipherMail command-line interface tool.

To configure DKIM signing, you need to complete the following steps.

Enable DKIM signing for the global settings:

Enable DKIM

ciphermail-cli property global set --name dkim-signing-enabled --value true

Then, for each internal domain do:

  1. Generate a DKIM key

  2. Add internal domain

  3. Assign the DKIM key to the domain

  4. Publish the DKIM key in DNS

Generate a DKIM key

ciphermail-cli dkim generate key --key-id <key-id>

Where <key-id> should be a unique id which identifes the key.

Hint

Set <key-id> to a value which contains the domain name and the date. For example: example-com-30092025

To check whether the key was created, list all the id’s:

ciphermail-cli dkim get key-ids

Add internal domain

ciphermail-cli domain add --domain <domain>
ciphermail-cli property domain set --domain <domain> --name locality --value INTERNAL

Replace <domain> with the correct domain.

Assign the DKIM key to the domain

ciphermail-cli property domain set --domain <domain> --name dkim-key-identifier --value <key-id>

Replace <domain> with the correct domain and <key-id> with the key identifier generated in the first step.

Publish the DKIM key in DNS

The public part of the DKIM key should be published in DNS.

To retrieve the public DKIM key:

ciphermail-cli dkim get public-key --key-id <key-id>

Replace <key-id> with the key identifier generated in the first step.

Log into your DNS management page and add the following TXT record:

ciphermail._domainkey with value v=DKIM1; p=<DKIM-Public-Key>

Replace <DKIM-Public-Key> with the public key value

Hint

The ciphermail selector should match the selector (s field) from the DKIM Signature Template.