DomainKeys Identified Mail (DKIM) adds a digital signature to outbound email so receiving servers can verify that a message genuinely came from your domain. This article shows you how to add a DKIM record to a hosted email domain using the API, which is an alternative to entering the private key and selector by hand in the Mail Administration Console (MAC). If you prefer the manual approach, see Setting Up DKIM for Hosted Email Domains.
About this method
Setting DKIM with the API involves three parts: generating a key pair and selector, publishing the public key as a TXT record in DNS, and submitting the private key and selector to the email domain through the API. This is useful when you want to automate DKIM setup across many domains rather than configuring each one in the Mail Administration Console.
Step 1: Generate the public key, private key, and selector
First, generate a DKIM key pair and a domain key selector. You can use an online tool such as the SparkPost DKIM wizard. Enter the domain name, the domain key selector, and the key size.
Note: If you use the default SystemDNS nameservers, generate the key at 1024 bits, not 2048 bits.
Step 2: Add the public key as a TXT record
Publish the generated public key as a TXT record in the domain's DNS zone. The record goes on a subdomain built from your selector.
- Build the hostname from your selector. For a selector of key1 on dkimtesting.com, the hostname is key1._domainkey.dkimtesting.com.
- Add the public key as the TXT record value on that hostname.
- If the domain is registered with OpenSRS, you can add the record with the set_dns_zone API method.
Step 3: Submit the private key and selector with the API
Use the change_domain method to add the DKIM record to an existing email domain. The method takes two related attributes:
Attribute | Description |
|---|---|
dkim_selector | The selector that matches your private DKIM key. Required if dkim_key is specified. |
dkim_key | Your private DKIM key, generated with your selector. Required if dkim_selector is specified. Every line break in the key must be represented with the newline control character \n. |
Sample request:
{\n "attributes": {\n "dkim_selector": "key1",\n "dkim_key": "BEGIN RSA PRIVATE KEY/END RSA PRIVATE KEY"\n },\n "credentials": {\n "user": "user@domain.adm",\n "password": "AubE8bHbhx4"\n },\n "domain": "dkimtesting.com"\n}Sample response:
{\n "success": true,\n "audit": "snake40_5dcdd78e14"\n}Warning: Once the private key is saved, the platform obfuscates it and it cannot be recovered. Keep your own copy of the key in a secure location.
Next steps
- Set DKIM manually instead. To configure DKIM through the interface rather than the API, see Setting Up DKIM for Hosted Email Domains.
- Add a matching SPF record. Pair DKIM with SPF by following Sender Policy Framework (SPF).
- Verify your DKIM record. After publishing, confirm the record resolves using a DKIM lookup tool such as the MXToolbox DKIM record lookup tool.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.