Managing DKIM keys and DNS records (MailMarshal supported versions)

This article applies to:

  • Trustwave MailMarshal/SEG 8.0 and above
  • DKIM functionality


  • How can I generate and use DKIM keys to sign messages in MailMarshal?
  • What setup is required before creating DKIM signing rules?


Note: For versions below 8.0, see article Q19543.

Current versions of MailMarshal provide a simplified and enhanced method to complete the basic configuration required before you can create rules to use DKIM signing with MailMarshal.  You can create RSA keys in the MailMarshal user interface, and manage multiple keys and selectors for a domain.

The basic steps are:

  • In the MailMarshal Management Console (or 8.X Configurator), generate a RSA key and selector for use with DKIM.
  • Create a matching DNS TXT record with the public key.
  • Once the DNS record has propagated, enable the key for use.
  • To sign messages, enable a Content Analysis rule with the action "Apply DKIM Signature."

Many other options are available. A starting place for resources is The Internet RFC that describes the standard for DKIM is RFC 6376.

Creating the DKIM key in MailMarshal

To create a key and selector:

  1. In the Management Console, open the properties for the local domain and select the DKIM tab.
  2. Click Add to open the DKIM Key window. (In 8.X click New)
  3. Enter a unique selector, such as a date string.
  4. Click Generate to create the key and record text.
    • MailMarshal generates 2048 bit keys by default. You can select other sizes when generating a key. 
  5. Copy the information from the DNS Record field. Ensure you have copied the entire contents.
  6. Remember to save the key.

Once the DNS record has been created and verified to be available in public DNS, you can enable the key from the DKIM tab.

  • MailMarshal validates the public availability of the key using a query to public DNS from the Array Manager, by default using Google DNS (
  • Using a public DNS server (not the DNS configured in SEG for delivery) helps to test that the key has replicated widely.
  • You can change the DNS server used. See the Notes section below.

Creating the DNS record(s)

A DNS Resource Record is required for each local domain from which you are planning to send DKIM signed messages.

Create this record in the DNS environment that hosts your public DNS records. This could be a local server or a hosted service.

  • Important: To ensure validation of the record succeeds, this record must exist on the DNS server configured in MailMarshal. If MailMarshal uses an internal DNS server and the public DNS records are not replicated to that server, you must also create the record on the internal server.

Enter the information you copied from the DNS Record field of the DKIM Key window.

Expand the zone for the desired local domain, add a resource record of type TEXT, and paste the information from MailMarshal. The text of the record may include more than one line.

  • 2048 bit keys are longer than the permitted line length for many DNS servers. Long keys copied from MailMarshal are formatted with a linebreak and can be pasted directly to most DNS servers. However, some DNS software may change the linebreak to a space or make other changes. Be sure to verify the actual DNS record using NSLookup or a web-based DKIM checker.


  • Looking up the record with NSLookup returns a result as shown below:




  • You can use the same key for all domains, or create separate keys.
  • Add a DNS record and local domain information for each local domain where you want to use DKIM to sign outgoing messages.
  • Ensure that DNS and local domain configuration is in place before creating any signing rules for a domain.
  • You must create rules to sign messages.

Manual key creation

If you want to generate keys outside MailMarshal (for example to select the length of the key), see the steps in article Q19543.

Key Storage and replication

  • DKIM key storage depends on the Windows CNG Key Isolation service to store the keys and provide them to the MailMarshal services. This service should be running on both the Array Manager and processing servers.
  • Keys are transmitted over secure RPC between the Array Manager and node Controller.
  • If you see "failed to update DKIM keys" messages in the Event Log or text logs, verify that the CNG Key Isolation service is running and then restart the Array Manager and Controller services.

Changing the DNS server setting

MailMarshal validates the public availability of DKIM keys using a DNS query from the Array Manager to the DNS servers configured in MailMarshal, and also to a public DNS server (by default using Google public DNS: Using a public DNS server helps to test that the key has replicated widely.

For validation checks to work properly, you must ensure that both the local and public DNS environments hold this information. 

You can change the public DNS server used, by making an entry in the Advanced Settings or Registry.

10.0 and above: 

  1. In the Management Console, add an Advanced Setting as follows:
    • DNS.ThirdPartyServer
    • Type: String
    • Value: the IP address of the DNS server you want to use.
  2. Commit Configuration Changes.
  3. Restart MailMarshal services on the processing servers.


On the Array Manager, edit the Registry

  1. Navigate to the SEG DNS key:
    • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default\DNS
    • For full details of the location for each product version, see article Q10832.
    Add a String (REG_SZ) value ThirdPartyServer and set the value to the IP address of the DNS server you want to use.
  2. Commit configuration changes.
  3. Restart the Array Manager service.


Last Modified 2/7/2024.