Adding a signing rule

Use the following steps to create a DKIM signing rule on the page Settings > Inbound/Outbound > DKIM Settings:

Steps

  1. From the section DKIM Signing Rules, click Add. The Add Signing Rule page displays.
  2. In the text field Rule name, enter a name for your rule.
  3. Enter the name of the domain to which this signing rule applies.
  4. (Optional) Include the identity of the user or agent for whom the message is signed; mark the check box Include user identifier.
  5. (Optional) In the text field User identifier, enter the user identifier.
    This field is not enabled if the check box Include user identifier is not marked.
  6. In the text field Selector, enter the domain name selector.
    A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.
  7. From the pull-down menu Signing key, select the signing key to associate with this rule from the list of existing keys.
  8. Click Advanced Options.

    A box displays with additional optional rule settings:

    • From the pull-down menu Algorithm, select an encryption algorithm. Options include RSA-SHA-1 or RSA-SHA-256. The default is RSA-SHA-1.
    • In the section Canonicalization, specify a canonicalization method for message header and body.

      The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.

      The following header and body changes are made, based on the selection of Simple or Relaxed:

        Simple (default) Relaxed
      Message Header No header changes made
      • Header names changed to lowercase
      • Header line breaks removed
      • Linear white spaces (including tabs and carriage returns) reduced to a single space
      • Leading and trailing spaces stripped
      Message Body Empty lines at end of body stripped
      • Empty lines at end of message body stripped
      • Linear white spaces (including tabs and carriage returns) reduced to a single space
      • Trailing spaces stripped
    • From the list of standard headers, indicate the message headers to sign.
    • In the field Additional headers, include other headers as a comma-separated list.
    • Specify whether to sign the entire message body or only a portion.

      For the latter selection, enter the maximum number of Kbytes to be signed. The default is 1024.

    • Select any optional signature tags for the signing rule:
      • t lets you add a signature creation timestamp.
      • x lets you specify a signature expiration time in seconds. The default is 3600 seconds.
      • z adds the list of signed header fields to the signature.
  9. From the pull-down menu Signing rule options, select either Sign email messages or Do not sign email messages.

    Next, create a list of email addresses to which this option applies.

    • For example, if you select Sign email messages, then email from the addresses in the list is signed. Email from other addresses is not signed.
    • If you select Do not sign email messages, then email from the addresses in the list is not signed, and email from all other users is signed.

    Remove an email address from the list by selecting it and clicking Remove.

  10. Click OK.
    The settings are saved.