ThinkDKIM for IIS SMTP Online Help

Quick Step-by-step

  • After installing ThinkDKIM for IIS SMTP, run ThinkDKIM Manager.
  • From the File menu select "New DomainKey...".
  • Enter the domain name you want to sign (e.g. example.com) and a selector of your choice (e.g. jun2015). Keep in mind the domain is the one being used in your From or Sender email addresses (e.g. billing@example.com etc).
  • Click "OK", you will be prompted to export the public key, click "Yes".
  • Go to the domain DNS service management (a service usually provided by the domain registrar), and add a new TXT record named selector._domainkey.example.com replacing the selector and domain with the ones specified in step 3. Then copy the line starting with "v=DKIM1..." (without the quotation marks) and paste it in the TXT record value field.
  • Click "OK" to close the "Export Public Key" window.
  • Right-click the DomainKey you've just added and select "Test Public Key", this will either tell you the TXT record can't be located, or that the public key found in the TXT record doesn't match the DomainKey one. If everything works as planned, you will see a message saying the public keys match. Keep in mind it usually takes a few minutes for DNS modifications to take effect, sometimes it might take up to a few hours.
  • From the Tools menu select "Restart IIS".
  • Now send a test message with the From or Sender fields holding an address belonging to the domain entered in step 3.
  • At the recipient side try to locate a "Signed by example.com" indication, or alternatively click "View Source" and locate the "DKIM-Signature" header field to verify the message was actually signed.

Troubleshooting

If you experience troubles getting your outgoing messages signed, take the following steps:

  • Make sure you've activated your product license (the "License Activation..." option in the Help menu should be grayed out) or alternatively that you are still within the 30-days trial period.
  • Run cmd.exe with administrative rights (right-click cmd.exe and select "Run as administrator").
  • Navigate to "c:\Program Files\ThinkDKIM" and run "regsvr32.exe ThinkDKIM.dll", then navigate to the "setup" directory and run "InstallOnPostCategorize.bat" (this will restart IIS).
  • Try resending a test message and verify it was successfully signed.
  • If needed, contact us for technical support.

More Details

DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message by means of a digital signature embedded inside the message, and that can be validated by recipients.

The signer (IIS SMTP) is responsible for adding a DKIM-Signature field to the message's header. The verifier (Gmail, Hotmail, Yahoo etc.) recovers the sender's public key by querying a sender's DNS record, and then verifying that the signature matches the actual message's content. The basic principle is that only the true owner of the domain is able to control its DNS records, and hence produce a valid signature.

Creating a DomainKey

Use ThinkDKIM Manager to create new DomainKeys. Each DomainKey defines a specific domain, a selector (which will be used in conjunction with the domain to define the actual DNS record), a certificate (private/public key pair), and optionally header fields which will be excluded from the signature.

If our domain is example.com, and the selector we've chosen is jun2012, then after creating the DomainKey we'll have to right-click the DomainKey and Export Public Key. Then we will have to define a new DNS record of type TXT named jun2012._domainkey.example.com which will hold the public key portion of the certificate, as explained in the export window.

The Signing Process

When IIS SMTP is ready to deliver an outgoing message, it will first hand it over to ThinkDKIM for possible signing. ThinkDKIM will examine the sender's domain (first the Sender header field, then the From field) to see whether it has a matching DomainKey. If it does, it will use the certificate private key to sign the message content.

The Verification Process

A verifier that receives a message containing a DKIM signature will recover the sender's public key from the DNS (by querying TXT record selector._domainkey.domain.com) and verify the message content against it.

Signature Content

The following header fields are included in the signature: From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version, Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description, Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID, In-Reply-To, References, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner and List-Archive.

It is possible to define, per DomainKey, fields that will be excluded from the signature. This is useful when relaying outgoing messages through services such as Amazon SES, which might modify some fields and thus invalidate the signature.