How to: Setup DKIM for Hosted Email Domains

This article will outline the benefits of DKIM and how to setup DKIM on an OpenSRS Hosted Email domain. 

What is DKIM? 

DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is setup by means of a digital signature which can be validated by recipients. Responsibility is claimed by a signer—independently of the message's actual authors or recipients—by adding a DKIM-Signature: field to the message's header. The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content.

What are the benefits of DKIM?

Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.

Anti-phishing

DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. 

How do I setup DKIM on a Hosted Email domain?

Step 1: Generate a DKIM public key, private key, and key selector using a tool such as the port25 DKIM wizard. There are a number of similar tools available on search engines. The tool will ask for the domain name and the DomainKey selector:

NOTE: If you are using the SystemDNS nameservers, please generate the key in 1024 bits, not 2048 bits.  

 

Step 2: Add the public key as a TXT record on the domain's DNS zone file. You will need to add this record on a subdomain based on your key selector. In our example, the subdomain would be key._domainkey.example.com

 

Step 3: Contact our support team with the private key and key selector in a password protected ZIP file. Please call or chat with our team to provide us with the password to the file. Our support team will then install the private key on the mail server and advise you when this process has been completed.

 

Step 4: Test your DKIM setup with a tool like the MXToolbox DKIM record lookup tool. This will ensure your private and public keys have all been setup correctly and your email domain is properly configured with DKIM. 

Have more questions? Submit a request

3 Comments

  • Avatar
    Nora Heuer

    I could not get my zone file to pass a named-checkzone check when using the above DKIM Wizard. So I tried different ones I found on Google (and they all yielded different TXT entries and instructions), but only https://www.socketlabs.com/domainkey-dkim-generation-wizard/ returned a successful check. Confusing you say? HA!

  • Avatar
    Joe Winett

    I noticed that the port25 DKIM Wizard page inserts fancy double quotes. When I replaced those with the ASCII versions the TXT record finally loaded.

  • Avatar
    Ryan Forssell

    When is 2048 bits going to be an option?

Please sign in to leave a comment.
Powered by Zendesk