GreenArrow Engine can digitally sign outgoing messages using DKIM.
Every DKIM key is uniquely identified by its domain name / selector combination. There can be multiple DKIM keys for the same domain name, as long as each of these keys as a unique selector. Similarly, there can be multiple DKIM keys using the same selector, as long as each of those keys is for a unique domain. The remainder of this section is GreenArrow-centric, but if you’d like to learn more about DKIM in general, the DKIM.org website provides a good overview of this technology, and the advantages of using it.
This page’s child pages contain details on how to configure DKIM within GreenArrow Engine:
- Creating a New DKIM Key
- Creating DNS Records for DKIM
- Testing DKIM
- DKIM Key Length
- DKIM Signing for Other Domains and Selectors
- Replacing DKIM Keys
- Revoking and Deleting a DKIM Key
- X-GreenArrow-DKIM Header
GreenArrow Engine’s Default DKIM Signing Behavior
GreenArrow Engine’s default behavior when selecting which DKIM key to use for signing is to first check a message for a
Sender header. If a
Sender header is present, GreenArrow Engine will attempt to sign the message using that domain’s default selector. If a
Sender header is not present, GreenArrow Engine will attempt to sign the message using the domain in the
This default behavior can be changed by inserting an X-GreenArrow-DKIM Header into an individual email, or applying it as a setting within GreenArrow itself. See the X-GreenArrow-DKIM Header page for details.
The default selector name that’s used when you create a new DKIM key with GreenArrow Engine is literally,
Selecting a Cryptographic Hash
GreenArrow performs DKIM signing using the
sha256 cryptographic hash by default but also supports
sha1. You can specify which hash to use by updating the
/var/hvmail/control/dkim/hashfunc configuration file. For example, to restore the default of
echo sha256 > /var/hvmail/control/dkim/hashfunc
We recommend using
sha256, both because it’s cryptographically stronger and because RFC 8301 removed
sha1 support from DKIM.