Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 18 subscribers
  • Views 4371 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound DKIM Signing - New Feature setup headaches

Michael Gates

I am going to try and post this on the community hoping that it saves someone some time and headache. Sophos has finally just released the ability to sign outgoing mail with DKIM. The instructions are missing a very important piece of information. When you create the TXT record you must append the following to the “Name” field of the record that Sophos gives you:

._domainkey

It must include the period before _domainkey Your txt record "name" should look like sophos3253452435bunchofnumbersandletters3445._domainkey

I am also getting a false negative when validating the TXT record within the Central dashboard where you configure the DKIM key. It states that there is a mismatch but, that’s not correct. DKIM checkers using the selector and domain name show correct when checking the DNS. Once I activated the feature ignoring the dns mismatch error and sent test emails to mail-tester.com and mailtest@unlocktheinbox.com both tests confirm that the emails are being signed correctly.

 
**Also take note. If you have multiple domains, the key will remain the same, but you will have a different selector for each domain. This is the “Name” field. You can find this by going back to the domain list and then clicking on the  domain key link you will notice the “name” is different for each domain. You will need to create a TXT record for each domain.



Added tags
[edited by: Raphael Alganes at 5:12 AM (GMT -7) on 8 Jun 2023]
  • 0

    Unfortunately, the Help in Central DKIM is not good. This will be fixed in the upcoming release to reflect your feedback.

    You are completely right, the DNS Settings need to be done like this. 

    The DNS Check should work? At least if you use it with the Selector, shown by Central: 

     

    S1235123123._domainkey.yourdomain.com 

    At least this worked for most of us right now. 

     

    Whats your general Feedback about this Feature and the Handling of DKIM outbound? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Toni, 

     

    Thanks for the reply. I also would agree about the documentation hoping that it will save someone some frustration. 

     

    Selector is correct and all is working but, DNS check still fails for us. 

     

    Feedback is good so far. No issues other than the info to enable the feature and set up the TXT record. Something we have been waiting a LONG time for. In fact. I just installed a plugin 2 weeks ago to do DKIM signing on the exchange server itself. This was open source software and stopped working 2 days before I seen the announcement for this feature so it was very welcomed. I think this will help with email delivery. 

     

    Thanks!

  • 0 in reply to Michael Gates

    Hi,

     

    I am so much missing this feature, but where did you find info on that, I cannot find it in central or in the docs??

     

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • 0 in reply to twister5800

    Found it! :-)

     

    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/learningContents/eg_DkimKeys.html?hl=dkim

     

    Horray and thanks for the thread!

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Unfiltered HTML