locked
DKIM and self-signed certificate RRS feed

  • Question

  • We have exchange 2013 Environment behind a third party Anti-spam/Anti-Virus/edge appliance handling inbound and outbound mail. The appliance can be used to deploy DKIM. There are two options I see: use a commercial cert or a self-signed cert. Has anyone used a self-signed cert when deploying DKIM with a third party solution? If so, how will the receiving party verify the signature?
    Wednesday, July 20, 2016 11:49 PM

Answers

  • We have exchange 2013 Environment behind a third party Anti-spam/Anti-Virus/edge appliance handling inbound and outbound mail. The appliance can be used to deploy DKIM. There are two options I see: use a commercial cert or a self-signed cert. Has anyone used a self-signed cert when deploying DKIM with a third party solution? If so, how will the receiving party verify the signature?
    I think you are confusing what the cert is used for in DKIM. The receiving servers do not need to trust it, its used for signing the messages. The public key is available in DNS for all the world to see, the private key is used for the signing. So, in other words, its perfectly ok to use a self-signed cert.

    Blog:    Twitter:   

    • Proposed as answer by David Wang_ Friday, July 22, 2016 1:48 AM
    • Marked as answer by David Wang_ Wednesday, July 27, 2016 6:30 AM
    Thursday, July 21, 2016 10:48 AM

All replies

  • Hi,

    I have found the following words for your reference:"If you don't have a certificate (private/public key pair) for your domain, DKIM manager will create a certificate for your domain automatically; if you have an existed certificate, please import it from your local disk and input your certificate protection password."

    So I think you don't need to worry the cert 

    https://www.emailarchitect.net/forum/yaf_postst357_Set-up-DKIM-in--Exchange-2007-2010-2013.aspx#post538

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards,                                                                                                                                                    

    David



    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    David Wang_
    TechNet Community Support

    • Proposed as answer by amanagemen Friday, July 22, 2016 3:16 AM
    Thursday, July 21, 2016 2:05 AM
  • We have exchange 2013 Environment behind a third party Anti-spam/Anti-Virus/edge appliance handling inbound and outbound mail. The appliance can be used to deploy DKIM. There are two options I see: use a commercial cert or a self-signed cert. Has anyone used a self-signed cert when deploying DKIM with a third party solution? If so, how will the receiving party verify the signature?
    I think you are confusing what the cert is used for in DKIM. The receiving servers do not need to trust it, its used for signing the messages. The public key is available in DNS for all the world to see, the private key is used for the signing. So, in other words, its perfectly ok to use a self-signed cert.

    Blog:    Twitter:   

    • Proposed as answer by David Wang_ Friday, July 22, 2016 1:48 AM
    • Marked as answer by David Wang_ Wednesday, July 27, 2016 6:30 AM
    Thursday, July 21, 2016 10:48 AM
  • Ok. The correct word I should have used is verify not trust. So in this case there is no need to use anything but a self signed cert. Any advantage to using a Commercial?
    Thursday, July 21, 2016 1:57 PM
  • Ok. The correct word I should have used is verify not trust. So in this case there is no need to use anything but a self signed cert. Any advantage to using a Commercial?
    Not that I am aware of.

    Blog:    Twitter:   

    Thursday, July 21, 2016 3:06 PM