HOWTO: Managing DKIM keys and DNS records (SEG 8.0 and above)

Expand / Collapse

This article applies to:

  • Trustwave SEG 8.0 and above
  • DKIM functionality


  • How can I generate and use DKIM keys to sign messages in SEG (8.0 and above)?
  • What setup is required before creating DKIM signing rules?


Note: For versions below 8.0, see article Q19543.

SEG version 8.0 introduces a simplified and enhanced method to complete the basic configuration required before you can create rules to use DKIM signing with SEG.  You can now create RSA keys in the SEG Configurator, and manage multiple keys and selectors for a domain.

The basic steps are:

  • In the SEG Configurator, generate a RSA key and selector for use with DKIM.
  • Create a matching DNS TXT record with the public key.
  • Once the DNS record has propagated, enable the key for use.
  • To sign messages, enable a Content Analysis rule with the action "Apply DKIM Signature."

Many other options are available. A starting place for resources is The Internet RFC that describes the standard for DKIM is RFC 6376.

Creating the DKIM key in SEG

To create a key and selector:

  1. In the SEG Configurator, open the properties for the local domain and select the DKIM tab.
  2. Click New to open the DKIM Key window.
  3. Enter a unique selector, such as a date string.
  4. Click Generate to create the key and record text.
    • SEG generates 2048 bit keys by default. In SEG 8.2 and above you can select other sizes when generating a key. To learn how to change the size generated in SEG 8.0 and 8.1, see Related Articles below.
  5. Copy the information required to create the DNS record (to capture all text, right click > select all).

Once the DNS record has been created and verified to be available in public DNS, you can enable the key from the DKIM tab.

  • SEG validates the public availability of the key using a query to public DNS from the Array Manager, by default using Google DNS (
  • Using a public DNS server (not the DNS configured in SEG for delivery) helps to test that the key has replicated widely.
  • You can change the DNS server used. See the Notes section below.

Creating the DNS record(s)

A DNS Resource Record is required for each local domain from which you are planning to send DKIM signed messages.

Copy the information from the DNS Record field of the DKIM Key window in the Configurator.

For example, in Windows DNS Manager, expand the zone for the desired local domain, add a resource record of type TEXT, and paste the information from SEG. The text of the record may include more than one line.

  • 2048 bit keys are longer than the permitted line length for many DNS servers. Long keys copied from SEG are formatted with a linebreak and can be pasted directly to Microsoft DNS and many other DNS servers. However, some DNS software may change the linebreak to a space or make other changes. Be sure to verify the actual DNS record using NSLookup or a web-based DKIM checker.



  • Looking up the record with NSLookup returns a result as shown below:



  • You can use the same key for all domains, or create separate keys.
  • Add a DNS record and local domain information for each local domain where you want to use DKIM to sign outgoing messages.
  • Ensure that DNS and local domain configuration is in place before creating any signing rules for a domain.
  • You must create rules to sign messages.

Manual key creation

If you want to generate keys outside SEG (for example to select the length of the key), see the steps in article Q19543.

Key Storage and replication

  • DKIM key storage depends on the Windows CNG Key Isolation service to store the keys and provide them to the SEG services. This service should be running on both the Array Manager and processing servers.
  • Keys are transmitted over secure RPC between the Array Manager and node Controller.
  • If you see "failed to update DKIM keys" messages in the Event Log or text logs, verify that the CNG Key Isolation service is running and then restart the Array Manager and Controller services.

Changing the DNS server setting

SEG validates the public availability of DKIM keys using a DNS query from the Array Manager (by default using Google public DNS: Using a public DNS server helps to test that the key has replicated widely.

In version 8.X you can change the DNS server used, by making an entry in the Registry.

  • This setting is not currently available in SEG 10.X

On the Array Manager, edit the Registry

  1. Navigate to the SEG DNS key:
    • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\DNS
    • For full details of the location for each product version, see article Q10832.
    Add a String (REG_SZ) value ThirdPartyServer and set the value to the IP address of the DNS server you want to use.
  2. Commit configuration changes.
  3. Restart the Array Manager service.


To contact Trustwave about this article or to request support:

Rate this Article:

Related Articles

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster