Enabling DKIM on Microsoft Exchange Server 2016

This post relates to my experience and the issues I’ve faced with installing the latest version of ‘Exchange DKIM Signer‘ (on time of writing 3.2.8) on Microsoft Exchange Server 2016 without internet access.

In case you are using Microsoft Exchange Server (2007, 2010, 2013, 2016, 2019) and you want to enable DKIM on it, this post might help (I hope).

A few days back, I was searching for the same subject and saw (it seems, based on what I saw so far) on-premise version of Microsoft Exchange Server does not support DKIM configuration on its own but there are multiple solutions, both free and paid ones.

If you want to go with free version and have access to the application source at the same time, well I found Exchange DKIM Signer project on GitHub which is working great.

For installation, you can check the two below links.

Now, issues I’ve faced.

Unable to install on a server without internet

I’ve installed the application on one node in the cluster which had access to the internet so the application downloaded needed files and installation finished successfully, so far normal.

Then I went to install it on another cluster node that doesn’t have internet access but when launching the application there was no option for install.

Based on the installation page, there are three ways to install applications; online, offline, and manual.
It also mentioned on the releases page, on version 2.3.4-alpha a feature has been added to the application so ‘Application will launch installer if agent is not detected (allows “Online” and “Offline” install options)’ but I didn’t get offline installation option with version 3.2.8.

So, I’ve downloaded 3.2.4-alpha, and the source zip file for the new version (3.2.8) (for offline installation) and use that version (2.3.4a) for the installation and as soon as I’ve launched the application, I got browse option (for selecting the source/zip file) and then installation started as expected.

No DKIM Signing

Application has the capability of creating key pairs in PEM format or using already created key pair.
In any case, it will show suggestions for DNS records based on provided information such as domain and selector name and key in use.

I don’t know about previous versions but the issue I’ve faced was with the key generated by application version 3.2.8.

After the key has been generated, I’ve added the DNS record and check DNS configuration by both application and online services such as ‘DKIM Record Check‘ and ‘DKIM Validator Tool‘, and all show correct DNS configuration.

But when I’ve sent an email to myself and an email to ‘DKIM test‘ to test the DKIM implementation and I got notice my emails were not signed at all.

So I’ve checked the application, all was good so looked online and found a post by Colin Wilson which was not my issue but give me a hint to check the event log for ‘Exchange DKIM’.

Well, the log was there waiting to be seen and it was clearly saying the issue.

Couldn't load private key for domain DOMAIN.LAB: The given key does not have the correct type. The keyfile must include the private and public key in PEM format. It is of type: Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters

The key which will be used for DKIM is pair and it consists of two parts of a private key and a public key. As the above error mentioning, the private key should include the public key as well but, the key that has been made by the application didn’t have a public key inside.

So, I just merged both private and public keys into a new file and saved it as “new private key” and changed application configuration so it’ll use the new private (merged) key.

Tested again and it passed all tests successfully.

It's your kindness to leave a reply/feedback