How to Configure DKIM for Automated Outbound Emails

As a reseller, your technical contact domain sends automated account notifications such as domain renewal reminders to end users. Configuring DomainKeys Identified Mail (DKIM) on that domain authenticates those outbound messages and helps them reach the inbox. Tucows provides auto-updating DKIM records so you can enable this protection with two CNAME entries.

Why DKIM matters for automated email

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outbound messages that receiving mail servers use to verify the message has not been altered in transit and was authorized by the sending domain. Mailbox providers such as Gmail, Yahoo, and Microsoft now require DKIM alignment for bulk senders, and missing or invalid DKIM signatures are a common cause of legitimate notifications landing in spam.

OpenSRS publishes the public keys for you at key1.example.com.dkim.hostedemail.link and key2.example.com.dkim.hostedemail.link, so you only need to add two CNAME records pointing your domain at those targets. Keys rotate automatically on the OpenSRS side.

Before you begin

• Identify your technical contact domain in the Reseller Control Panel (RCP) — that is the domain that needs DKIM, not necessarily your primary brand domain.
• Confirm you have DNS edit access for that domain. If your nameservers are not systemdns.com, add the equivalent CNAME records through your DNS provider.
• Have the two record values ready (see Step 2). Replace example.com with your technical contact domain in every record.

Step 1: Locate your technical contact domain

1. Log in to the Reseller Control Panel (RCP).
2. Select the Domains tab.
3. Click Settings. Your technical email domain appears under the default settings section. This is the domain that needs the DKIM records.

Step 2: Note the CNAME values to add

Add both records below. Replace example.com with your technical contact domain.

Step 3: Add the CNAME records in RCP (SystemDNS nameservers)

If your domain uses the OpenSRS systemdns.com nameservers, add each record as a subdomain in RCP, then assign the CNAME type.

1. In RCP, enter the domain name in the search field and click Search.
2. Click the domain name in the search results.
3. In the DNS section, click Edit.
4. In the Add Sub-domain field, enter key1._domainkey.example.com and save. Repeat for key2._domainkey.example.com.

   Tip: If RCP prefills your domain in the host field, remove example.com so the value is not duplicated.

5. After adding each subdomain, select CNAME from the Add record drop-down menu.
6. Enter the address value for each record:

   key1._domainkey.example.com  CNAME  key1.example.com.dkim.hostedemail.link
   key2._domainkey.example.com  CNAME  key2.example.com.dkim.hostedemail.link

7. Click Save DNS settings.

Adding the records on other nameservers

If the technical contact domain uses third-party nameservers, add the same two CNAME records through your DNS provider's control panel. The hostname, type, and target values are identical.

Step 4: Verify DKIM is publishing correctly

• Wait 15–60 minutes for DNS to propagate.
• Use a DKIM lookup tool such as dmarcian's DKIM Inspector to query key1._domainkey.example.com and confirm the CNAME resolves to a published public key.
• Send a test notification from the platform and inspect the message headers in the receiving inbox for dkim=pass.

Next steps

• Publish DMARC for hosted email domains — pair DKIM with a DMARC policy so receivers know how to handle unauthenticated mail. See Gmail, Microsoft, and Yahoo DMARC Requirements on the Hosted Email Platform.
• Publish DMARC for domain-platform sends — if you send from the Domains platform as well, see Gmail, Microsoft, and Yahoo DMARC Requirements on the Domains Platform.
• Confirm SPF alignment — DKIM alone does not satisfy DMARC; make sure SPF lists the sending source for your technical contact domain.

Questions? Contact OpenSRS Support.