Introduction
In recent years, ensuring the reliability and security of email transmission has become important. In Questetra Ver. 16.0 a function was added that allows users to perform DKIM signing with any domain specified by the user. This article explains the procedure for system administrators to configure DKIM settings.
What is DKIM?
DKIM (DomainKeys Identified Mail) is a technology that certifies that an email is officially authenticated by the sending domain. This is achieved by the sender’s email system adding a digital signature to the email, and the receiver’s email system checks the signature to verify that the email has not been tampered with.
DKIM Signing in Questetra
By default, emails sent from Questetra are signed with a DKIM signature for the questetra.net domain. Depending on the sender (From address), the email is either signed by a first party or by a third party.
- If the sender (From address) is the default: First Party signature
- If the sender (From address) has been changed to another email address: Third Party signature
By configuring settings for the domain that the user manages, if the sender (From address) is changed, emails with a DKIM signature for the specified domain will be sent (Advanced and above). This allows the sender to add a First Party Signature if they change the From address.
Configuring DKIM Signing for a Custom Domain
In Questetra, if the system administrator registers the private key of the custom domain in the Workflow Platform, it becomes possible to perform DKIM signing by the sender domain when sending emails. The settings procedure is explained below.
1. Creating a Key Pair
First, generate a private/public key pair for DKIM. You can do this using a tool like OpenSSL. The generated key format is PKCS#8 PEM format (no encryption).
For example, the following command will generate a private key (system.pem) and a public key (system.pub):
## Generate PKCS#1 format private key p1.key with key length 2048 bit
$ openssl genrsa -out p1.key 2048
## Convert p1.key to PKCS#8 unencrypted format and generate system.pem
$ openssl pkcs8 -in p1.key -topk8 -nocrypt -out system.pem
## Generate BASE64 string of public key from private key (for DNS registration)
$ openssl rsa -in p1.key -pubout -outform der 2>/dev/null | openssl base64 -A > system.pub2. Registering Your Public Key in DNS
Next, register the generated public key as a TXT record in the DNS that manages the specified domain.
- Domain: The domain to use in the From address when sending emails.
- Name: {selector}._domainkey
- Selector: A name used to identify the public key used for DKIM signing.
- TXT record value: “v=DKIM1; p={public key}“
If the DNS registration is successful, you can check the contents of the TXT record, for example with the host command.
## DNS record check: {selector}. _domainkey.{domain}.
## (domain: questetra.com、selector: questetra)
$ host -t TXT questetra._domainkey.questetra.com
questetra._domainkey.questetra.com descriptive text "v=DKIM1; p=MIIBI...(omitted)...IDAQAB"3. Registering the Private Key to the Workflow Platform
Finally, register the private key in the workflow platform (Questetra BPM Suite).
From the [System Settings] > [DKIM] menu, select [Add Private Key] and enter the following information.
- Domain: The domain to use in the From address when sending emails
- Selector: The selector used in DNS
- Private Key: Full private key (string beginning with “—–BEGIN PRIVATE KEY—–“)
Note:
Please keep your private key secure. If your private key is leaked, it may be used to send spoofed emails. In the DKIM settings screen of Questetra, the specification does not allow you to refer to/display the private key itself after adding it.
Verifying DKIM Signatures
Emails sent from Questetra contain a DKIM-Signature header. The recipient extracts the value from the DKIM-Signature header, obtains the public key from the DNS of the target domain, and uses this public key to verify the signature.
If all the settings are completed correctly, when the sender (From address) is changed to any email address of the specified domain, you will be able to confirm in the received email that the DKIM authentication for the target domain has been passed (depending on the email service you use).
Summary
By setting up DKIM signature for a custom domain in Questetra, you can improve the reliability of email sending and prove to the recipient that the email is legitimate.
If the Sender Policy Framework (SPF) settings are correctly configured in addition to DKIM, you can also properly comply with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy. This effectively prevents spoofed emails and phishing scams, and improves the reliability of your email.