DomainKeys Identified Mail (DKIM) is an email authentication method that attaches a digital signature to your outgoing messages so recipients can verify they genuinely came from your domain. This article explains what DKIM does, why it helps your deliverability, and how to set it up on an OpenSRS hosted email domain through the Mail Administration Console (MAC).
About DKIM
DKIM associates a domain name with an email message, letting a person, role, or organization claim responsibility for that message. It works by adding a DKIM-Signature field to the message header, signed with a private key. The receiving server retrieves the matching public key from DNS and verifies that the signature matches the message content.
DKIM does not filter or identify spam on its own. Instead, it labels messages so that other systems can trust them. Widespread DKIM use prevents spammers from forging your source domain, which lets reputation and filtering systems work more effectively. It also helps receiving systems recognize legitimate mail from known good domains.
DKIM is also useful as an anti-phishing measure. Senders in frequently spoofed domains can sign their mail to prove it is genuine, and recipients can treat the absence of a valid signature as a sign that a message may be forged.
Before you begin
- DKIM generator tool. You need a tool to create your key pair and selector, such as the EasyDMARC DKIM record generator. Several similar tools are available online.
- MAC access. You sign in to the Mail Administration Console (MAC) to enter the selector and private key for the domain.
Step 1: Generate the key pair and selector
Create a DKIM public key, private key, and key selector using a DKIM generator tool. The tool asks for the domain name and a DomainKey selector.
- Open a DKIM generator such as the EasyDMARC DKIM record generator.
- Enter the domain name and a selector (for example, dkim1).
- Generate the keys and keep the output available for the next steps.
Note: If you use the SystemDNS nameservers, generate the key at 1024 bits, not 2048 bits.
Step 2: Publish the public key in DNS
Add the public key as a TXT record in the domain's DNS zone, on a subdomain built from your selector.
- Build the hostname from your selector. For a selector of key on example.com, the hostname is key._domainkey.example.com.
- Add a TXT record on that hostname with the public key as its value.
- Save the DNS changes.
Step 3: Enter the selector and private key in the MAC
Add the selector and private key to the domain in the Mail Administration Console so the platform can sign outbound mail.
- Log in to the MAC and search for the domain in the top-left search field.
- On the domain overview page, expand the DKIM section.
- In the Selector field, enter only the selector you set for the domain (for example, dkim1) and nothing more.
- In the Key field, paste the private key.
- Click Update at the bottom of the page.
Warning: After you save the private key, the platform obfuscates it for security and it cannot be recovered from the system. Keep your own secure copy of the key.
Step 4: Test your DKIM setup
Confirm that the public and private keys match and that the domain is configured correctly.
- Open a DKIM lookup tool such as the MXToolbox DKIM record lookup tool.
- Enter the domain and selector, then run the check to confirm the record resolves and validates.
Next steps
- Set DKIM through the API. To automate setup across many domains, see Setting a DKIM Record for Hosted Email Domains Using the API.
- Add an SPF record. Pair DKIM with SPF by following Sender Policy Framework (SPF).
- Configure outbound notice records. If you send automated reseller notices, see Configuring Records for Automated Outbound Email Delivery.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.