How to: Setup DKIM for Hosted Email Domains

This article will outline the benefits of DKIM and how to setup DKIM on an OpenSRS Hosted Email domain. 

What is DKIM? 

DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is setup by means of a digital signature which can be validated by recipients. Responsibility is claimed by a signer—independently of the message's actual authors or recipients—by adding a DKIM-Signature: field to the message's header. The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content.

What are the benefits of DKIM?

Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.

Anti-phishing

DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. 

How do I setup DKIM on a Hosted Email domain?

Step 1: Generate a DKIM public key, private key, and key selector using a tool such as the SparkPost DKIM wizard. There are a number of similar tools available on search engines. The tool will ask for the domain name and the DomainKey selector:

NOTE: If you are using the SystemDNS nameservers, please generate the key in 1024 bits, not 2048 bits.  

Step 2: Add the public key as a TXT record on the domain's DNS zone file. You will need to add this record on a subdomain based on your key selector. In our example, the subdomain would be key._domainkey.example.com

Step 3: Log into the MAC and search for the domain in the top left.  On the domain overview page you will see a "DKIM" section, click to expand.  In the DKIM section there are two fields: Selector and Key.  Enter the selector you set for the domain and paste the private key into the key field.  NOTE:  Only the selector is needed in the selector field, nothing more.  The example screen shot below shows the selector dkim1 being used.

Click update at the bottom of the page.  After saving the private key the data will be obfuscated to protect the private key.  The key cannot be recovered from our system once set.

Step 4: Test your DKIM setup with a tool like the MXToolbox DKIM record lookup tool. This will ensure your private and public keys have all been setup correctly and your email domain is properly configured with DKIM.