DKIM

GreenArrow Engine can digitally sign outgoing messages using DKIM.

Every DKIM key is uniquely identified by its domain name / selector combination. There can be multiple DKIM keys for the same domain name, as long as each of these keys as a unique selector. Similarly, there can be multiple DKIM keys using the same selector, as long as each of those keys is for a unique domain. The remainder of this section is GreenArrow-centric, but if you’d like to learn more about DKIM in general, the DKIM.org website provides a good overview of this technology, and the advantages of using it.

This page’s child pages contain details on how to configure DKIM within GreenArrow Engine:

GreenArrow Engine’s Default DKIM Signing Behavior

GreenArrow Engine’s default behavior when selecting which DKIM key to use for signing is to first check a message for a Sender header. If a Sender header is present, GreenArrow Engine will attempt to sign the message using that domain’s default selector. If a Sender header is not present, GreenArrow Engine will attempt to sign the message using the domain in the From address.

This default behavior can be changed by inserting an X-GreenArrow-DKIM Header into an individual email, or applying it as a setting within GreenArrow itself. See the X-GreenArrow-DKIM Header page for details.

The default selector name that’s used when you create a new DKIM key with GreenArrow Engine is literally, default.

Selecting a Cryptographic Hash

GreenArrow performs DKIM signing using the sha256 cryptographic hash by default but also supports sha1. You can specify which hash to use by updating the /var/hvmail/control/dkim/hashfunc configuration file. For example, to restore the default of sha256, run:

echo sha256 > /var/hvmail/control/dkim/hashfunc

We recommend using sha256, both because it’s cryptographically stronger and because RFC 8301 removed sha1 support from DKIM.