Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
The40ITGuy
New Contributor II

Created on ‎01-14-2025 01:54 AM

Configuring DKIM for Fortimail in Transparent Mode

Hello Everyone,

I want to configure DKIM on our Fortimail unit to sign outgoing messages, but I have a lot of questions that I need your help with. First of all, our Fortimail unit is 200F unit, working in transparent mode. We have 2 protected domains configured inside this unit. The two domains are MS exchange servers

For my questions:

  1. Can I configure the DKIM signing in Transparent mode, or it should be in gateway or server mode for this to work?
  2. If it is applicable in transparent mode, and I successfully configured it, will this configuration be affected or stop working if I change the working mode of the fortimail unit to gateway mode?
  3. Do I have to make a record for the DKIM inside my exchange servers internal DNS, or it should be published only on the external DNS?
  4. Does the protected domains SSL certificates have to be imported inside the Fortimail, or the DKIM has nothing to do with the certificates?
  5. Is it better to configure the DKIM inside my exchange servers, or it's better to be configured on the Fortimail, and does it have anything to do with the encryption of the email messages (meaning that encrypted messages from the mail server should affect the DKIM if it is configured on the fortimail unit)?

I would greatly appreciate your support on these topics

#Fortimail

Labels:
244
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎01-14-2025 07:33 AM

Hi ITGuy

  1. Yes you can configure DKIM signing in transparent mode
  2. Changing from one mode to another will reset you config to factory defaults, so you will also lose domain config and DKIM private keys as well
  3. No need for DKIM public key in you private DNS, it should be in your public DNS so remote servers can check it
  4. DKIM doesn't use any certificate. It needs only a public key and a private key
  5. I think is better to configure it on FML, I always do that just in case FML changes something in the message or in the headers, in that case the DKIM has to operate at FML level, otherwise it will not be valid anymore
AEK

View solution in original post

AEK
220
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎01-14-2025 07:33 AM

Hi ITGuy

  1. Yes you can configure DKIM signing in transparent mode
  2. Changing from one mode to another will reset you config to factory defaults, so you will also lose domain config and DKIM private keys as well
  3. No need for DKIM public key in you private DNS, it should be in your public DNS so remote servers can check it
  4. DKIM doesn't use any certificate. It needs only a public key and a private key
  5. I think is better to configure it on FML, I always do that just in case FML changes something in the message or in the headers, in that case the DKIM has to operate at FML level, otherwise it will not be valid anymore
AEK
AEK
221
The40ITGuy
New Contributor II

Created on ‎01-16-2025 12:40 AM

Thanks a lot @AEK

Those answers will help a lot in considering the best approach to apply the DKIM in our configuration

187
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.