Configuring mail settings : Configuring protected domains : Configuring advanced settings : DKIM Setting
DKIM Setting
The DKIM Setting section appears when configuring an existing protected domain; that is, it does not appear when configuring a new domain. It lets you create domain keys for this protected domain.
The FortiMail unit will sign outgoing email messages using the domain key for this protected domain if you have selected it when configuring sender validation in the session profile. For more information, see “Configuring session profiles”.
 
Because domain keys are tied to the domain name for which they are generated, FortiMail units will not use the domain key of a protected domain to sign email of an associated domain. If you require DKIM signing for an associated domain, convert it to a standard protected domain and then generate its own, separate domain key.
DKIM signing requires a public-private key pair. The private key is kept on and used by the FortiMail unit to generate the DKIM signatures for the email messages; the public key is stored on the DNS server in the DNS record for the domain name, and used by receiving parties to verify the signature.
After you generate the key pair by creating a domain key selector, you can export the DNS record that contains the public key. The following is a sample of the exported DNS record:
example_com._domainkey IN TXT "t=y; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5xvUazqp2sBovpfumPuR5xC+yDvGbfndyHZuVQdSHhwdKAdsfiyOa03iPniCfQEbuM0d+4/AoPyTXHHPFBBnChMMHkWgHYlRDm5UMjrH5J1zDT5OyFxUEur+NtfS6LF29Te+6vSS+D3asfZ85V6WJDHSI9JV0504uwDeOOh/aewIDAQAB"
Then you can publish the public key by adding it to the DNS zone file as a text record for the domain name on the DNS server. The recipient SMTP server, if enabled to use DKIM verification, will use the public key to decrypt the signature and compare the hash values of the email message in order to verify that the hash values match.
To configure a domain key pair
1. Go to Mail Settings > Domains > Domains.
2. Double-click to modify an existing protected domain.
 
Because information from the protected domain is used to generate the key pair, you cannot create DKIM keys while initially creating the protected domain.
3. Click the arrow to expand Advanced Settings.
4. Click the arrow to expand DKIM Setting.
5. In the text box to the left of Create, enter a selector to use for the DKIM key, such as example_com2.
6. Click Create.
The selector name for the key pair appears in the list of domain key selectors. The key pair is generated and public key can be exported for publication on a DNS server.
 
When a new key is created, it is not active by default. This allows you to pulish the public key on the DNS server before you activate the key. Also note that only one key pair can be active at a time.
7. Click to select the domain key, then click Download.
Your web browser downloads the plain text file which contains the exported DNS record (.dkim) file.
8. Publish the public key by inserting the exported DNS record into the DNS zone file of the DNS server that resolves this domain name. For details, see the documentation for your DNS server.
9. Now you can activate the key by selecting the key and then clicking Activate.