Install and Deploy DKIM in IIS SMTP Service

In this topic, I will introduce how to add DKIM signature to outbound emails in IIS SMTP Service. I will also introduce the usage of DKIM "selector" and "sender rule".

How DKIM works?

When an email claims to originate from a certain domain, DKIM provides a mechanism by which the recipient system can determine that the email is authorized to be sent by that domain. The work flow is illustrated as follows:

How to install DKIM in IIS SMTP Service

To deploy DKIM signature in IIS SMTP Service, you should download the DKIM Installer and install it on your machine.

https://www.emailarchitect.net/webapp/download/eaexchdomainkeys.exe 

Double click installer file and the installation will be executed automatically.



After the installation is complete, click "DKIM Plugin Manager" from "Windows Start menu"->"All Programs"->"EA DKIM for IIS SMTP and Exchange Server" to begin the configuration.

Create DKIM for Domain

Click "DKIM" in Manager and click "New" to create a new domain DKIM signature. DKIM signature is based on the domain of sender email address, it is unrelated to the name of IIS SMTP server.



You can simply input your sender domain, use default settings for other parameters, finally click "Save" to create your DKIM signature.

DKIM Parameters

Here is the detailed information about DKIM parameters:

Export DKIM Public Key

As I have introduced, because The recipient mail system need to use public key to verify DKIM signature, so we need to deploy DKIM public key to domain DNS server, then recipient server can query DNS server to get public key.

Now open DKIM manager and select your domain and click "Export Public Key":




After the public key is exported, you should deploy it in your domain DNS server.

Deploy DKIM Public Key to Windows DNS Server

If your domain is managed by Windows DNS server, you should deploy DKIM public key like this:

Add DKIM policy in Windows DNS Server (Optional*)

This DNS record is optional. If you do not set DKIM policy, and then "o=~;" is used by default.
The work flow is illustrated as follows:

Deploy DKIM public key in other DNS server

If your domain is managed by "Network Solutions" DNS server, Bind DNS server or other DNS server, you should deploy public key as follows:

DKIM Test

Now you can test DKIM signature by this online tool:
http://www.appmaildev.com/en/dkim 



If report email shows "DKIM Result: pass", that means your DKIM signature is verified successfully. If there is any error, please have a look at following section.

DKIM Troubleshooting

You can check the problem step by step as follows:
If you have any further problem, please contact support@emailarchitect.net for assistance.

DKIM Sender Rule

Sometimes you need to send an email that sender address not belonged to your server.
In this case, you cannot add DKIM signature to such email, as you don't have permission to deploy DKIM public key to sender domain DNS server. Of course if you don't send email from outside email address, or you don't need to sign DKIM for those emails, you can simply ignore this topic.

You can use "Sender Rule" as follows:

DKIM Selector

To support multiple concurrent public keys of sending domain, the DNS namespace is further subdivided by"selectors". "Selectors" is arbitrary names below the "_domainkey" namespace.

The most important thing is: "selector" indicates your DKIM public key location. For example: if your domain selector is: "s1024", your public key DNS record is "s1024._domainkey.yourdomain"; if your domain selector is: "mta1", your public key DNS record is "mta1._domainkey.yourdomain".

If you have only one IIS SMTP server, you can ignore the following sections.

Using a single DKIM selector for the same domain on multiple IIS SMTP Servers

If all of your servers are running with EA DKIM, you should deploy the certificate as follows:

Using multiple DKIM selectors for the same domain on multiple IIS SMTP servers

If you don't want to copy the certificate to all servers or you have another server signing the DKIM with the key pair certificate not supported by EA DKIM, you can use different selector for different server.

Related Links

Installieren und Bereitstellen von DKIM in IIS-SMTP-Server (Deutsch) 
Installer et déployer DKIM dans IIS SMTP Server (français) 
Installare e distribuire DKIM nel Server di IIS SMTP (Italiano) 

Instalar e implantar o DKIM no IIS SMTP Server (Português) 
Instalar y desplegar DKIM en IIS SMTP Server (Español) 

Установка и развертывание DKIM в IIS SMTP Server (русский) 

インストールし、IIS SMTP Server で DKIM の展開 (日本語) 
설치 및 IIS SMTP 서버 (2013/2010/2007)에 DKIM 배포 (한국어) 
安裝和部署 IIS SMTP 伺服器中的 DKIM (繁體中文) 
安装和部署 IIS SMTP 服务器中的 DKIM (简体中文)