DomainKeys / DKIM

DomainKey is a spam and phishing scam fighting method which works by signing outbound e-mail messages with a cryptographic signature which can be verified by the recipient to determine if the messages originates from an authorized system.
The process of signing outbound messages and verifying this signature is typically done by the e-mail servers at each end - not by end-users client software.

DomainKey uses DNS TXT records to define DomainKey policy and public encryption keys for a domain name.
DomainKey is developed and patented by Yahoo!. For details please see

DKIM is an extension of DomainKey which uses the same style DNS records.
For details see

There are basically two types of DNS records used by DomainKeys; policy records and selector(public key) records:

1) Policy records:

A domain name using DomainKey should have a single policy record configured.

 _domainkey.yourdomain.tld  TXT "t=y; o=~; r=postmaster@yourdomain.tld"

Here is a list of the possible tags, and their meanings:
  •  o - Outbound Signing policy ('-' means that this domain signs all email, '~' is the default and means that this domain may sign some email with DomainKeys).
  •  r - A reporting email address. If present, this defines the email address where invalid verification results are reported. This tag is primarily intended for early implementers - the content and frequency of the reports will be defined in a separate document.
  •  t - testing mode ('y' means that this domain is testing DomainKeys so unsigned and unverifiable email should not be treated differently from verified email. Recipient systems may wish to track testing mode results to assist the sender.)
  •  n - Notes that may be of interest to a human. No interpretation is made by any program.
Receiving e-mail servers check this policy record to find out to what extent the sender domain name uses DomainKeys (if there is no such record, the domain does not use DomainKey).
Based on this, the receiving e-mail server might reject or flag un-signed messages from this domain name.

2) Selector records:

An e-mail message signed with a DomainKey will include a header item "DomainKey-Signature" containing the cryptographic signature and a few other fields including a "selector" (s=) - for example:

DomainKey-Signature: a=rsa-sha1;

You can only setup one DomainKey policy record per domain - but you can setup multiple selector records. The selector record holds your public key. You can setup multiple selectors to be used on different servers if you like, or you can use one selector for all your outgoing email. You can also create a selector that only works for one specific email address. Here is an example selector record:

myselector._domainkey.yourdomain.tld TXT "k=rsa; p=AIGf ... AQAB"

Note that p= section is your public key, you can take your public key file remove the -----BEGIN PUBLIC KEY-----, -----END PUBLIC KEY-----, all whitespace and new lines. If the key ends with an equals sign be sure to include it. If your public key appears truncated with a normal TXT record, utilize the DOMAINKEYS record instead.

  • g - granularity of the key. If present with a non-zero length value, this value MUST exactly match the local part of the sending address. This tag is optional. The intent of this tag is to constrain which sending address can legitimately use this selector. An email with a sending address that does not match the value of this tag constitutes a failed verification.
  • k - key type (rsa is the default). All Signers and verifiers support the 'rsa' key type.
  • n - Notes that may be of interest to a human. No interpretation is made by any program. This tag is optional.
  • p - public-key data, encoded as a Base64 string. An empty value means that this public-key has been revoked. This tag MUST be present.
  • t - testing mode ('y' means that this domain is testing DomainKeys and unverified email MUST NOT be treated differently from verified email. Recipient systems MAY wish to track testing mode results to assist the sender.) This tag is optional.

The important thing is that for each selector used to sign outgoing messages from your domain name, you setup a separate TXT record in DNS.
The public key value is typically generated by a function in the e-mail server software or by using a tool such as "openssl".
The public key must of course match the private key used by the e-mail server software to sign outgoing messages.

 Testing and Troubleshooting

A DomainKey Policy Record Tester
A DomainKey Selector Record Tester
Sender ID/SPF/DomainKeys Test Server
  • 74 Users Found This Useful
Was this answer helpful?

Related Articles

SPF (Sender Policy Framework)

SPF works by domains publishing "reverse MX" records to tell the world what machines...

Powered by WHMCompleteSolution