How to: Setup DKIM for Hosted Email Domains

This article will outline the benefits of DKIM and how to setup DKIM on an OpenSRS Hosted Email domain. 

What is DKIM? 

DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is setup by means of a digital signature which can be validated by recipients. Responsibility is claimed by a signer—independently of the message's actual authors or recipients—by adding a DKIM-Signature: field to the message's header. The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content.

What are the benefits of DKIM?

Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.

Anti-phishing

DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. 

How do I setup DKIM on a Hosted Email domain?

Step 1: Generate a DKIM public key, private key, and key selector using a tool such as the SparkPost DKIM wizard. There are a number of similar tools available on search engines. The tool will ask for the domain name and the DomainKey selector:

NOTE: If you are using the SystemDNS nameservers, please generate the key in 1024 bits, not 2048 bits.  

 

Step 2: Add the public key as a TXT record on the domain's DNS zone file. You will need to add this record on a subdomain based on your key selector. In our example, the subdomain would be key._domainkey.example.com

 

Step 3: Log into the MAC and search for the domain in the top left.  On the domain overview page you will see a "DKIM" section, click to expand.  In the DKIM section there are two fields: Selector and Key.  Enter the selector you set for the domain and paste the private key into the key field.  NOTE:  Only the selector is needed in the selector field, nothing more.  The example screen shot below shows the selector dkim1 being used.

dkim.png

Click update at the bottom of the page.  After saving the private key the data will be obfuscated to protect the private key.  The key cannot be recovered from our system once set.

Step 4: Test your DKIM setup with a tool like the MXToolbox DKIM record lookup tool. This will ensure your private and public keys have all been setup correctly and your email domain is properly configured with DKIM. 

Have more questions? Submit a request

5 Comments

  • Avatar
    Nora Heuer

    I could not get my zone file to pass a named-checkzone check when using the above DKIM Wizard. So I tried different ones I found on Google (and they all yielded different TXT entries and instructions), but only https://www.socketlabs.com/domainkey-dkim-generation-wizard/ returned a successful check. Confusing you say? HA!

  • Avatar
    Joe Winett

    I noticed that the port25 DKIM Wizard page inserts fancy double quotes. When I replaced those with the ASCII versions the TXT record finally loaded.

  • Avatar
    Ryan Forssell

    When is 2048 bits going to be an option?

  • Avatar
    Athonia

    I used the Port25 DKIM public/private key process based on the instructions at OpenSRS (above). Everything passes except for the version according to sites like MXToolbox. How do I fix this error as reported from https://www.dmarcanalyzer.com/ ?

    Error : We detected that your key in the DKIM record is invalid.
    DNS Record - athonia-dkim01._domainkey.athonia.com
    Selector - athonia-dkim01
    Domain - athonia.com

    k=rsa;
    p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdewmljndtzsx4otltgjcpzfnowfuys8s4cz
    wgukaryv4icxb56+y0npar7e3+eei14r+fq9c5vnozkxg+2szaspuvscvxggspu1ejsxkn4hiqk
    t5q3eci+ryamxikr948jj7gnz4+gp//udt66n4frl2nuzaiaxr6u0rg07akshwidaqab
    Declared tags
    v DKIM protocol version

  • Avatar
    Nora Heuer

    @Athonia

    you can simply add

    v=DKIM1;

    before k=rsa;

Article is closed for comments.