Implementing DKIM on Exchange 2019 CU11 with Microsoft DNS

Sometimes the path we choose is only met with minimal speed bumps. We’ll call that a good day. Spoiler alert, MS DNS doesn’t play nice. Who’da thunk it? 👎 What, no middle finger emoji? I am appalled, Windows 10.

So, you’ve been putting it off for a real long time, maybe you got sidetracked reading r/ShittySysadmin on Reddit, and you haven’t felt like dicking with it, but today’s a new day, and you haven’t totally had your fill of punishment yet, so you decide to take the plunge.

For a little back story, after almost twenty years of being a sysadmin, dealing with endless server problems, Windows problems galore, buggy software, and providing direct tech support to crabby, ungrateful end-users, I’ve recently come to the conclusion that to be a sysadmin, whether you know it or not, you have to be a masochist deep down, because only a crazy man would willingly endure this kind of torture. Smh. It’s true, it’s true. 🙄 Anywho, I’ll be your copilot this evening, so let’s kick this bitch into overdrive, and get some shit done.

Here’s some basic instructions to implement DKIM signing on Microsoft Exchange 2019 CU11 relatively painlessly in about 15 minutos, pending you’re on a recent version of Windows. In my case, I was on Windows Server Standard 2019 LTS v1809, so no .NET dependencies needed to be met. Cue Ranier Wolfcastle, “Up and at them!“.

  1. RDP into Exchange, or I guess use the console, if you’re an effing weirdo… 🤷‍♂️
  2. Download the Pro/dkim-exchange project from GitHub, where this wonderful human being, named DJBenson, has so graciously provided the binary releases, without the need to manually compile the project. For this writing, we’re using v3.4.0 package.
  3. Unzip it to your Downloads folder or wherever.
  4. The installation wiki can be found here. I chose to use the Online Install method. Follow those steps.
  5. After that, you can open up the configuration wiki page for some easy to follow screenshots, tab by tab, but they don’t really explain any of it, though.
  6. Once you’ve already opened up the configuration utility from "C:\Program Files\Exchange DkimSigner\Configuration.DkimSigner.exe" in step 4, all you really need to do is verify the Microsoft Exchange “Transport service status:” is in the “Running” state, and verify DKIM Signer is “Installed” and “Available”.
  7. Open the Domain Settings tab.
  8. On the left-hand side, under Domains, hit the Add button.
  9. Under “Domain name:”, enter in your domain, and under “Selector”, enter in any arbitrary or unique selector name, such as “s1”.
  10. Set the “Key length for generation:” to 2048, if it’s not already, click the “Generate new key” button, and save the key file somewhere for safekeeping.
  11. Under “Suggested DNS name”, we want to add this TXT record into DNS, and use “Suggested DNS Record:” as the value for the record, but this is where that small hitch with Microsoft DNS comes into play, as it truncates the record, so you have to do some tweaking. The handly little copy button in the software is nice. It’s the little things. 😊
  12. You’ll want to add the DNS record with both your internal and external DNS providers. I didn’t have any problems adding the record with my external provider, but I did see several articles where others were having the same truncation issues depending on which software you’re using, so be cognizant of that potential issue, and adjust your position accordingly. The internal server being my Active Directory Microsoft DNS environment that had the truncation issue.
  13. This article shows you the workaround on how to fix the truncated Microsoft DNS record properly.
    TIP: I copied and pasted the “Suggested DNS record:” string into Notepad++, so I could easily select the text, and find out what character number I was on. I was able to fit 154 characters per each line, followed by a line break, and did it in three sections. Then, I pasted each section as a separate line into the text entry box, and saved it.
  14. Back in the DKIM config utility, hit the “Check” button for the DNS. If it says, “DNS record public key is correct”, you’re in good shape. You did it! Just make sure you hit the save button at the bottom.
    NOTE: If you make DNS changes in AD, and you don’t feel like waiting around for them to propagate, you’ll want to “ipconfig /flushdns & ipconfig /registerdns” at the elevated command prompt in between each round of changes.
  15. Now, we want to test and verify everything is working externally with a few online tools. You can check your DKIM DNS records with the SuperTool, just make sure you select DKIM lookup in the drop down, and enter the selector in the proper format (it’s a bit clunky), but this site, has a kick-ass tool where you can click on a mailto: link, send a test message, and it will return the email message headers and test for SPF, DKIM, DMARC, your DomainKey, your DNS PTR record, and even check your domain for blacklists (RBLs). I highly recommend using the latter, as it includes all of the items you could possibly want to check with your email server.
  16. At this point, hopefully, you should be all good to go. Personally, I didn’t have any issues, but if you do, maybe try and consult the troubleshooting wiki page.

I hope you’ve enjoyed our time today. Keep on truckin’, don’t do anything I wouldn’t do, etc… We’ll see ya next time. Cheers!

Leave a Reply