gmichailidis
Staff
Staff

Description

 

The article describes how to use the DKIM key pair of a parent domain and publish it on the DNS servers, in order to sign outbound emails of associated domains. 

 

Scope

 

All FortiMail

 

Solution

 

Firstly, create a new DKIM key pair on FortiMail for the parent domain.
This process is described in the KB below to create key pair and publish the public key to DNS server.

 

How to generate DKIM key: https://community.fortinet.com/t5/FortiMail/Technical-Tip-How-to-generate-DKIM-key/ta-p/193173

Secondly, publish the DKIM public key for the associated domains in order for the receiving MTA to validate the DKIM signature.

 

FortiMail performs DKIM signing for an associated domain with its parent domain DKIM key.

The DNS TXT record value will be the same for parent domain and for the associated domains, however the name of the published keys will be different for each domain.


The DKIM record names follow a specific pattern and the queried records for each domain will be:

1) For 'lab.com': selector._domainkey.lab.com
2) For 'example.com: selector._domainkey.example.com
3) For 'example.org': selector._domainkey.example.org

Then, activate the key pair from the domain settings and 'Enable DKIM signing for outgoing messages' in the Session Profile (under 'sender validation') applied to the matching IP Policy.