DomainKeys/DKIM for IIS SMTP Service and Exchange Server

Using DomainKeys/DKIM for IIS SMTP Service and Exchange Server

Installation

To install "DomainKeys/DKIM for IIS SMTP Service and Exchange Server", you require a single installation file named "EAExchDomainKeys.exe". Please download the latest version of the installation file for the setup, which is available at our website: http://www.emailarchitect.net/domainkeys. Double click this file, and read the license agreement carefully. If you agree to the terms, click "I Agree" to proceed the installation. Otherwise click "Cancel" to abort the installation. "DomainKeys/DKIM for IIS SMTP Service and Exchange Server" requires IIS SMTP Service or Exchange Server to be installed and enabled. If no IIS SMTP Service or Exchange Server is detected in your operation system, Setup will be aborted. After the installation is complete, click "DomainKeys Sink Manager" from "Start menu-> All Programs->EA DomainKeys Sink->DomainKeys Sink Manager" to begin the setup.

How DomainKeys/DKIM works?

DomainKeys/DKIM combines of a public key cryptography and a DNS to provide credible domain-level authentication for email.

When an email claims to originate from a certain domain, DomainKeys/DKIM provides a mechanism by which the recipient system can credibly determine that the email did in fact originate from a person or system authorized to send email for that domain.

Therefore, to sign an email with DomainKeys/DKIM, you MUST have a private key/pulic key pair for email signing.
The work flow:

Email sender->
IIS SMTP Service/Exchange Server->
DomainKeys/DKIM Sink->
DomainKeys/DKIM Sink uses the private key to create a digital signature based on the email content.->
IIS SMTP Service/Exchange Server deliver the signed email to remote recipient.

Remote Server received the email->
Query the public key from the sender domain DNS record->
Verify the digital signature with public key.

Set up certificate for a specified domain

To create DomainKeys/DKIM for outgoing email from a specified domain, you should create or assign a Domainkeys/DKIM certificate (with public key/private key pair) for your domain signature, then you need to export the public key and deploy it in your domain DNS server.

EA DomainKeys/DKIM Manager has a user-friendly GUI to create a certificate for DomainKeys/DKIM. First of all, start the "DomainKeys Sink Manager" from "Start menu-> All Programs->EA DomainKeys Sink->DomainKeys Sink Manager". Then click the Setup DomainKeys/DKIM Signature->New DomainKeys. Input your domain name, (for example: adminsystem.com) and you can input a selector which is a MUST. If you don't know what is selector, just leave it as "s1024". We strongly recommend that you use default settings for other options. Lastly, click "OK", and a DomainKeys/DKIM certificate for your domain will be created.

Export Public Key

After you added a domain in DomainKeys Sink Manager, you can select the domain and click "Export Public Key". A dialog box will pop up and it will display a Public Key and a TEXT record for you to deploy in your DNS server.

>> Deploy public key in DNS server

Deploy DomainKeys on mulitple servers

If you have mutliple SMTP servers to send email from a same domain, you should deploy the certificate like this: First of all, install EA DomainKeys on the first server, and create the certificate for your domain. Then install EA DomainKeys on other servers, and copy the *.pfx certificate you created on the first server to other servers EA DomainKeys installation path\certs, finally, when you create the domainkeys on other server, please have "I don't have a certificate ..." unchecked, and select the *.pfx file from your local disk and input the "TMP001" as the password. All of your servers will have the same certificate for your domain.

IIS SMTP Event Sink

By default, EA DomainKeys installs an event sink "EA DomainKeys Sink" on your IIS SMTP(Exchange 2000 and Exchange 2003) OnMessageStart Event. It is almost the last event before IIS SMTP sends the email to remote host. So installing EA DomainKeys Sink on this event has good compatibility with other SMTP plug-in software. But if you don't have other SMTP plug-in software installed on your IIS SMTP service, we suggest that you install "EA DomainKeys Sink" on OnPostCategorize event, with this event, EA DomainKeys Sink has better performance. But if you have other SMTP plug-in will change the message content after the DomainKeys signature was added, the signature will be interrupted.

If you install EA DomainKeys on IIS SMTP Service, Exchange 2000, Exchange 2003, after you installed this software, you can find "InstallOnPostCategorize.bat" and "InstallOnMessageStart.bat" at EA DomainKeys installation folder\installer. You can double click the bat file to install EA DomainKeys on specified event sink.

Exchange 2007 Transport-Agent

By default, EA DomainKeys installs an transport-agent "EA DomainKeys Agent" on your Exchange 2007. If you install another transport agent after EA DomainKeys was installed, and the new transport-agent may interrupt the domainkeys signature. If you find the domainkeys signature was interrupted after you installed a new transport agent, you should uninstall EA DomainKeys transport agent from your Exchange 2007 and re-install it on your Exchange 2007, then your domainkeys agent will be last agent again and the domainkeys signature will not be interrupted by other transport agent.