DKIM 2048 in Mimecast

Written By Select Cybersecurity

When signing outbound DKIM with Mimecast there isn’t much reason to not use 2048-bit DKIM key. It is much more secure than the 1024-bit and comes with little to no downsides. The primary concern when implementing it is that the TXT record used to insert the 2048 DKIM record will be around 350 characters but the limit on these records is 255 characters. This has been solved in some DNS hosting providers by automatically creating 2 records called multi-string TXT records. You will want to check settings and options with your DNS host but most of the major providers do have this functionality.

This includes but is not limited to:

·         Cloudflare

·         Google DNS

·         Amazon Route 53

 

The other concerns around moving to 2048-bit are mostly sending and receiving server limitations which in the vast majority of cases should not be a problem in current times. On your end, Mimecast is your sending server for DKIM so that is handled by them.

To set up DKIM 2048 in Mimecast you need to create a definition for DNS Authentication – Outbound using your domain, generate a DNS address and DKIM Public Key, and create the TXT record within your DNS host which will use the DNS as the host name and the DKIM Public Key as the record. When entering the host name, many DNS hosts will automatically append your domain to the end of the record so you may need to remove the “.yourdomain.com” from the end of the DNS Address provided by Mimecast.

Once the record is saved, you need to validate it within the definition in Mimecast. We recommend waiting at least 10 minutes before validation to ensure propagation of the record. We have seen at times that the record will be visible by 3rd party tools such as MX toolbox for several minutes before Mimecast is able to validate. Validate and be sure to SAVE after.

Once validated and saved, you need to create a DNS Authentication – Outbound policy which uses the DKIM definition and is scoped from your domain to external.

We recommend testing your results once the rule is in place by sending an email to ping@tools.mxtoolbox.com which will then send you a deliverability report to confirm your changes are successful. Sometimes this will get caught in spam so be on the lookout for that.

 

If you have any questions or get stuck on any steps please reach out to us for some assistance!

Select Cybersecurity
Previous

Email tips: Plus and Minus Addressing, Mimecast Sieve Sub Address policy
Next

When/How to Use Regex in a Mimecast Blocked Sender Policy