How to add an ESA’s DKIM Signature to a DNS TXT Record

Hopefully, this post will help you save a lot of time when trying to add a DomainKeys Identified Mail (DKIM) signature to a Windows server. The motivation for this post is simply because I spent more than enough time trying to get a DKIM signature into my DNS server records and I want to save you the pain of going through what I went through.

In this demonstration, I will add a DKIM signature to my Microsoft 2019 servers’ DNS records. The signature will be generated on a Cisco Email Security Appliance (ESA). The problem with this method is that when the ESA presents the DKIM signature, the format is incorrect and therefore it cannot simply be copied and pasted into a DNS TXT record. The following steps will run through the process and show you how you can use the ESA to validate the signature.

When you’ve created a signing profile on the ESA and attached the generated key, click ‘Generate’ under the ‘DNS Text Record’ field and you will be taken to the signature.

The following screenshot is an example of the signature presented. As mentioned, if you simply copy and paste this into a DNS TXT record, it won’t work. One reason is that when the signature is pasted into the TXT record and saved, it is truncated because the maximum number of characters allowed in a single string is 255. Therefore, we need to split the string into multiple lines as presented on the ESA. But wait, that’s not all! Even if we do that, it still won’t work and the other reason is because of how the signature is presented you’ll see why below.

The Cisco documentation does a good job in explaining the first issue mentioned above, however, the documentation falls short when recommending the use of quotations (“) and that is because this is not required; or at least that is the case on Microsoft Server 2019 DNS servers. The reason quotation marks are not required is because the server will automatically add them once the TXT record has been saved. The example below shows how I have split the string into multiple lines and it also shows how quotation marks have been applied automatically.

One thing to note here is that the ESA outputs the signature with a quotation mark at the end of the signature and also includes the FQDN of the string; both of which aren’t required. Therefore, if we add them, we will still get an error. In the screenshot below you can see double quotation marks at the end of the signature; one from the ESA and the other placed there once the TXT record has been saved. You can also see the FQDN at the start of the string.

Once all those ‘gotcha’s’ have been addressed and the TXT record has been saved, it should look similar to the screenshot below.

We can now verify that the TXT record is correct by using the ‘Test’ link under ‘Test Profile’ on the ESA. If all is created successfully the ESA will validate this with the message highlighted in the screenshot below.

Lastly, if you want to check the output of the TXT record, you can use the following command on a command prompt or Power Shell.

nslookup -q=txt <Your FQDN Here>

Example: nslookup -q=txt lab._domainKey.networkwizkid.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: