Utilities: Administration: Sites: New/Edit Site: DomainKeys
Overview
DomainKeys is a sender authentication technology that gives your recipients the ability to verify the domain the email was sent from and assures them that the message was not altered during transfer. This can be a powerful tool that results in greater trust in your mailings.
Setting Up and Using DomainKeys
1. Generate a public/private key pair.
2. Publish the public key in DNS (it is published to your domain's _domainkey subdomain TXT record).
3. Copy the private key code you generated and paste it into the Private Key box on the DomainKeys page in ListManager. Add Headers and Selectors on the same page.
4. When you send email, the private key generates a digital signature of the message.
5. The DomainKeys-enabled receiving server extracts the digital signature and claimed From: domain from the headers.
6. The receiving server fetches the public key from DNS and checks it against the private key. If it's a match, this proves that the claimed From: domain is accurate and the headers and content were not altered. If the signature fails to verify, the email can be dropped, flagged or quarantined.
In Windows:
1. Open the Command Prompt (Start > Programs > Accessories > Command Prompt).
2. Navigate to the following folder:
C:\Program Files\ListManager\tclweb\bin\certs
Generate the Private Key
1. Type the following:
openssl genrsa -out rsa.private 512
2. Press ENTER. The private key is generated and saved in a file named "rsa.private" located in the same folder.
NOTE The number "512" in the above command indicates the size of the private key. You can choose one of five sizes: 512, 758, 1024, 1536 or 2048 (these numbers represent bytes). The larger sizes offer greater security, but this is offset by a penalty in CPU performance. We recommend staying with 512.
Generate the Public Key
1. At the command prompt, type the following:
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
2. Press ENTER. The public key is saved in a file named rsa.public located in the same folder.
Creating and Publishing the Domain TXT Record
Next, you must create the Domain TXT Record which you will publish to DNS. You can do this in Windows Notepad or any word processor. Here is an example of a typical record:
2006._domainkey IN TXT "k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANtlhE1vNuUrz NPKjYblYUn0kBLgRzUbnZ9JCJe4w5/ocxIoeewlp328b20S2tETjIa4krj8OJ1lJFT8VhAHLmcCAwEAAQ=="
The record consists of three main sections:
1. Selector: In this example, 2006 is the selector. It must always be followed by a dot, then an underscore, and then the word "domainkey."
Example:
2006._domainkey
2. Record identifier: "IN TXT" is the record identifier, and it is the same for every record.
3. Tag=value pairs: Note that this section is enclosed in quotation marks. There are two tag=value pairs that must be included:
k=rsa
RSA is an algorithm for public-key encryption. This tag=value pair is the same for every record.
p=MFww..........EEAQ=="
This is where you insert the public key. You must do the following:
a. Open the file rsa.public that you generated in the section above called "Generate the Public Key."
b. Copy the string of characters starting with the first character after "-----BEGIN PUBLIC KEY-----" and ending with the last character before "-----END PUBLIC KEY-----."
c. Type p= and then paste the string.
d. Type the closing quotation mark for the tag=value pair section.
4. Publish the Domain TXT Record.
Setting up DomainKeys in ListManager
1. Open ListManager
2. In the left Navigation bar, go to Utilities : Administration : Sites.
3. Under Site Name, click the site you want.
4. Click the DomainKeys tab.
5. To enable DomainKeys, select yes next to DomainKey Signatures.
NOTE This is a site-level setting. If you select no, a list adminstrator can still enable DomainKeys at the list level. That option is called Enable DomainKey Signatures and is found on the page: Utilities : List Settings : Basic Information : Enable Features.
6. In the Headers box, type the header(s) you want. If you type two or more, separate them with colons.
NOTE You do not have to include every possible header, but only the headers you list will be included in the digital signature. You should include any headers that you want to prevent from being altered.
7. In the Selector box, enter the selector you used when you created the Domain TXT Record.
More About Selectors
The selector is an arbitary name you create when you publish your public key to DNS. It can be any string that is considered legal in the DNS namespace and email headers; it must not contain a semicolon. When you generate a new public/private key combination, you must choose a new selector. It is a good idea to do this periodically for increased security.
You can have more than one selector active in DNS at one time. Why would you want to do this? Here's one example: let's say it's December 2006; you have a Domain TXT record (public key) published to DNS with a "2006" selector, and your outgoing email is being signed with a 2006 selector (private key). The public/private key combination is matching, and your recipients are getting their mail verified.
The new year rolls around, and you decide you want to change the public/private key pair to "2007" for security reasons. There will probably be a period during which mail that was sent in 2006 is being opened in 2007. If you only have a "2007" TXT Record in DNS, that email will fail verification. You can leave the "2006" TXT Record in DNS for a transition period, and remove it when you feel confident that all 2006 email has been opened.