cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

333
Views
0
Helpful
1
Replies
daro
Beginner

DKIM config automation

Hello,

 

I am looking for a way to automate all needed config for DKIM signing and also for key rotations.

this might not be an issue for deployments with just a few domains, but as soon as you get to 100+ domains it is quite an effort.

 

I am currently using a command string to get the simplests tasks done, but that also seems to have limits real fast.

 

DKIM key:

domainkeysconfig keys new DOMAIN_TLD_KEY1 --generate_key 2048

 

 

DKIM signing profile:

domainkeysconfig profiles signing new DKIM_DOMAIN_TLD dkim domain.tld some.selector nobody@domain.tld --key_name DOMAIN_TLD_KEY1 --body_canon relaxed --header_canon relaxed --i_tag yes --q_tag yes --t_tag yes --x_tag no --z_tag no --z_tag no

this works as is for the steps to initially create the keys and to then generate the needed DNS record, but it already begins at the steps to then activate signing for the whole domain.

 

that means I have to remove nobody@domain.tld and add just the domain again (to disable signing for subdomains) on that specific profile.

 

next thing is key rotation after some time of using the same keys, that includes multiple (intermediate) steps to take due to the new DNS record taking time to propagate.

 

I can see having scripts to just add those commands one by one, but that seems to be a very old school way to doing this.

 

is there an enterprise option to have the config done without having to click through the webgui?

will be there be an implementation for that in the future with the nextgenGUI? API based?

 

thanks

daniel

 

1 REPLY 1
marc.luescherFRE
Enthusiast

Hi Daniel,

 

we have posted a feature request about 3 years ago with Cisco to allow for :

 

a) automatic key rotation

b) support for a second DKIM key/profile for every domain so you could work with selectors.

 

This would allow to rollover one selector while supporting outgoing emails at the same time using the 2nd selector.

For DNS we had to switch to a cached DNS service like AWS DNS or Cloudlfare DNS so we can propagate instantly.

 

 

Regards

Marc

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad