If you are interested in enabling Mail Signing with your Smartermail mail account, you will soon find there are a few different options that can be confusing as to what they do. This is a short explanation of each option and steps for enabling mail signing.

You will find the mail signing options under Domain Settings -> Advanced Settings -> Mail Signing, and you must be logged in as an administrator of your domain to access these options. The Mail Signing section has four tabs:

Tab 1 - Options:

Enable DomainKey signing
Enable DKIM signing

Both of the above options enable a different method of "Authenticating" mail. That is, validating that it originated from you, the sender, with little or no modification while in-transit. DomainKeys was created by Yahoo and falls under their licensing. DKIM was created by the internet community at large as a very similar alternative that would fall outside of Yahoo's licensing. Unfortunately, many of the components of DKIM have been ruled to be under patents owned by Yahoo so both authentication methods now fall under Yahoo's licensing so there is little difference in which you choose (you can just leave both enabled if you don't want to choose).

Tab 2 - Certificate:

This tab is where you really configure Mail Signing to actually work. It has the following options:

Selector: This is a unique name that you enter. I would recommend using your domain name with all dashes and periods removed with the 2 or 4 digit year at the end (since you will want to generate a new certificate about every year or so and will need a new selector)

Key Size: Higher key size makes the certificate more secure, but also makes encryption/decryption slower. Depending on your security requirements, choose an appropriate value.

TXT Record Name and TXT Record Value: These will be populated when you click the Generate Certificate button. You will use these values to create a DNS record with type 'TXT'. After creating the DNS record, you will want to come back to this tab and click Test DNS to verify that you configured it correctly.

Tab 3 - DomainKeys Signing:
(options specific to the 'DomainKeys' authentication method. Not needed if you are only using DKIM)

Canonicalization: This determines what changes can be made to the message while in-transit. Changing it to Simple allows fewer changes to the message while in-transit. Again, this should be chosen based on your particular security requirements. The default, nofws, is appropriate for most domains.

Tab 4 - DKIM Signing:
(options specific to the 'DKIM' authentication method. Not needed if you are only using DomainKeys)

Body Canonicalization: The Simple option allows almost no changes to the message body while in-transit. The default option Relaxed is as the name implies, a little less strict, allowing for minor changes.
Header Canonicalization: This option is the same as Body Canonicalization but affects the headers.
Hash Algorithm: This is the algorithm used to verify the DKIM message. I would recommend just leaving this as SHA256.
Header Field Signing: This setting determines which header fields should be "Signed" with the hash algorithm. I would recommend leaving this as All non-repeatable fields unless you have a specific reason for changing it.

Once you configure the settings in the Certificate tab, add the DNS record, and successfully run the Test DNS function, you are ready to send authenticated mail. You can enable and disable authenticated mail for each user as well. By default, all users will have Mail Signing enabled unless you disable it.

David D.