<img src="https://d5nxst8fruw4z.cloudfront.net/atrk.gif?account=lYCzn1QolK10N8" style="display:none" height="1" width="1" alt="">

Creating a New DKIM Key

Introduction

DKIM is normally configured via GreenArrow Engine’s web interface. However, command line configuration is also possible. This page documents both options.

Web-Based DKIM Configuration

The first step in configuring DKIM is to create the private key that’s used to digitally sign messages.

Complete the following steps to create a new private key:

  1. Login to GreenArrow Engine’s web interface.
  2. Navigate to Configure => DKIM Keys:
    engine-configure-dkim-keys2.png
  3. Click the Add DKIM Key button:
    engine-add-dkim-key.png
  4. Enter the domain that you wish to generate the new DKIM key for in the Domain field, then click Save. In most situations, we recommend leaving the remaining fields at their default values:
    engine-new-dkim-key-form.png
  5. If you wish to import an existing DKIM Private key, uncheck the box next to Generate a new private key and paste your private key into the text entry block that opened: engine-new-dkim-key-import-existing.png
  6. Be sure to complete the final setup steps.

Command Line DKIM Configuration

You can configure DKIM keys on the command line by editing the /var/hvmail/control/dkim.json file.

If there are any conflicts between the contents of this file and the web-based configuration, then the web-based configuration takes precedence. For example, if the same domain/selector combination is configured in both locations, then the key that’s configured in the web interface is used for signing.

The format of this configuration file is a JSON array containing one object per DKIM key. Each object should have the following keys:

domain

string

The key’s domain name.

selector

string

The key’s selector.

default_for_domain

integer / default: 0

1 to make this the default DKIM key for the domain. 0 to not.

key_private

string

The PEM encoded private key. Since this is being stored in a JSON document, line ending should be encoded. For example, the configuration below encodes line endings as line feeds ( ).

Here’s an example configuration:

[
  {
    "domain": "example.com",
    "selector": "default",
    "default_for_domain": 1,
    "key_private": "-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDRzSh5YUKsZrfG6h0KObZikPXMbUqMtoBvY8RTF24frqxFKNeF
HSCaD2oTu3eFqyi4lxndYmAFqUmWl5EhqS/EHqCCKso/gRLCL6pqHvUPGBiZqT8f
qOF9Ccl7FK5asQ6bK6zYpwQQUVBPOvMW52AUlKCVQP1VAtQ7t29PoC+w2wIDAQAB
AoGAL7sbIDJOduaPnQOaQ79JjTcplK6wrT7ADZeHDNhhx3d33ewizDgKOMKVAZQ+
5vw/sW8/BSziZ6dSBJ7K9/uD0BLYGh7EzzlfmWtUblwHRhK23zsVcPmYsSyrd4pf
Dvd5csyvorIreqDfua5mv3zFIQqA2ZDarNq6sjsez2qeZnECQQD6x3yJRyGUWqaN
a4HK3GeaO6N2J1L99MUi9Ozy6l4BZ17gf+WxlMJo6rUsVza7INhN2HxSXHPYoady
Ex1TbJvNAkEA1itIVlyWlxAJlvNdwuGkDtPlphV/a61iIgU14escaBU4Rg0yHLdM
3x6Cf4Jl1HcKSODSD45FyhbimikXHOVnRwJAYxWKqRrHs7wVbm75u1NWQ+Qoc7iZ
2+loMqWfMWNUfS2AmScvc/iYz6dcqgZTg6A4lplglZId24wTgsj2n02cSQJAQqVR
a16Alh2tfkXZRY3F6b9S1W4XKsDXqtKIQ/dP7au8yT/N+lWoHD54SYmgeo9Yqfkc
JS8W1J5ugZ6LzLgufQJAW5WlGtyo8RfEbbnGRfeGHRFIf8vHt0a3BThEsh51QRJ3
eT3U4ajMxJfeXFdhzfLDzxtpSM78qfj70DtFWUDcUQ==
-----END RSA PRIVATE KEY-----"
  },
  {
    "domain": "example2.com",
    "selector": "default",
    "default_for_domain": 1,
    "key_private": "-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDRzSh5YUKsZrfG6h0KObZikPXMbUqMtoBvY8RTF24frqxFKNeF
HSCaD2oTu3eFqyi4lxndYmAFqUmWl5EhqS/EHqCCKso/gRLCL6pqHvUPGBiZqT8f
qOF9Ccl7FK5asQ6bK6zYpwQQUVBPOvMW52AUlKCVQP1VAtQ7t29PoC+w2wIDAQAB
AoGAL7sbIDJOduaPnQOaQ79JjTcplK6wrT7ADZeHDNhhx3d33ewizDgKOMKVAZQ+
5vw/sW8/BSziZ6dSBJ7K9/uD0BLYGh7EzzlfmWtUblwHRhK23zsVcPmYsSyrd4pf
Dvd5csyvorIreqDfua5mv3zFIQqA2ZDarNq6sjsez2qeZnECQQD6x3yJRyGUWqaN
a4HK3GeaO6N2J1L99MUi9Ozy6l4BZ17gf+WxlMJo6rUsVza7INhN2HxSXHPYoady
Ex1TbJvNAkEA1itIVlyWlxAJlvNdwuGkDtPlphV/a61iIgU14escaBU4Rg0yHLdM
3x6Cf4Jl1HcKSODSD45FyhbimikXHOVnRwJAYxWKqRrHs7wVbm75u1NWQ+Qoc7iZ
2+loMqWfMWNUfS2AmScvc/iYz6dcqgZTg6A4lplglZId24wTgsj2n02cSQJAQqVR
a16Alh2tfkXZRY3F6b9S1W4XKsDXqtKIQ/dP7au8yT/N+lWoHD54SYmgeo9Yqfkc
JS8W1J5ugZ6LzLgufQJAW5WlGtyo8RfEbbnGRfeGHRFIf8vHt0a3BThEsh51QRJ3
eT3U4ajMxJfeXFdhzfLDzxtpSM78qfj70DtFWUDcUQ==
-----END RSA PRIVATE KEY-----"
  }
]

Changes to the configuration file are automatically applied within 20 seconds.

You can check for configuration errors by monitoring the /var/hvmail/log/config-agent/current log file for errors after applying changes. For example, the following line suggests that there’s something wrong with example.com’s private key:

2018-08-10 15:37:44.374183500 Error: invalid format or missing private key in /var/hvmail/control/dkim.json for domain=(example.com), selector=(default)

Using a Custom Selector

GreenArrow’s default selector is literally named default. You may overwrite this with another selector if you wish.

DNS and Yahoo’s Feedback Loop

After a new DKIM key is created, the next step is to create the DNS records for it and testing to make sure it passes.

Yahoo’s Feedback Loop is DKIM based, so you’ll probably want to register any newly created DKIM keys with Yahoo.