Posted on February 20, 2018 · Posted in Exchange

How to Configure DKIM on Exchange Server 2010/2013

It started when I decided to reduce the number of common e-mails that regularly got to the Spam folder in the recipient mailbox and were lost with no answer. By that time, SPF had been already configured in the domain, however, it seemed it was not enough for some of the mail servers. Thus, the idea to configure DKIM in MS Exchange Server 2010 originated.

DKIM Signer for Exchange

By default, MS Exchange Server does not support DKIM. While looking for a solution, a free transport agent Exchange DKIM Signer has been found.

If you have .NET Framework 4.5 installed, you can install the agent automatically. Otherwise, you will have to install and configure Exchange DKIM Signer manually. You can find a detailed guide on how to install it manually on the official website.

I decided to go and try the automatic installation.

  1. Back up your Exchange server just in case
  2. Download from
  3. Unzip it into any folder and run Configuration.DkimSigner.exe
  4. Click Install
  5. Select the version to be installed in the next window
  6. Click Install and wait till the installation is complete
  7. Close the window

The new Exchange transport agent is installed. Now you have to configure it. Like in case with the installation, you can do it either manually (by editing the file C:\Program Files\Exchange DkimSigner\settigs.xml), or in the GUI (by running C:\Program Files\Exchange DkimSigner\Configuration.DkimSigner.exe).

configiring DkimSigner

Click Configure and make sure that Exchange DKIM Signer has the lowest priority (goes last in the list). It is necessary that the letters are signed at the last step after all possible modifications are made by other transport agents.

exchange transport agents

In DKIM Settings tab, specify what fields will be signed. By default, these are From, Subject, To, Date, Message-ID.

DKIM fields to sign

You can configure your domain in the Domain Settings tab. Specify the name of the domain, the selector (DNS name) and a file with the secrete key. The key can be generated right here. I had a couple of keys I got using OpenSSL:

openssl genrsa -out private.pem 1024
openssl rsa -pubout -in private.pem -out public.pem

exchnage domain key

After setting all parameters, click Save Domain. In theory, the settings should be applied right away automatically, but I have restarted Microsoft Exchange Transport just in case.

Only two DNS entries are left to be configured:

_domainkey.<your_domain_name>. TXT "t=s; o=~;"

mail._domainkey.<your_domain_name>. TXT "v=DKIM1; k=rsa; t=s; p=<public_key_contents>"

The o= parameter can take the following values:

  1. “~” — some e-mails from this domain are signed
  2. “-” — all e-mails from this domain are signed

“Mail” prior to “._domainkey” is the selector name.

It is also recommended to specify ADSP in your DNS:

_adsp._domainkey.<your_domain_name>. TXT "dkim=all"

The dkim parameter can take one of the following values:

  1. “unknown” — means there is no entry
  2. “all” — all e-mails must be signed
  3. “discardable” — unsigned e-mails must not be received

Send a text e-mail, say, to a Gmail mailbox, and look for dkim=pass in the headers:

dkim signature log

The strings are here, and it works well.

Related Articles