Enabling DomainKeys Identified Mail (DKIM)

Posted on by David Singer | Updated:
Reading Time: 5 minutes

DomainKeys Identified Mail (DKIM) is a way to attach an encrypted digital signature to emails sent by your domain/server. Similar to adding an SPF record to your server, DKIM help to prevent email spoofing.

Email spoofing is when spammers send email that looks like it’s coming from your email address. Spammers spoof your address to make it more likely that recipients will open spam emails, less likely that messages will be marked as spam, and harder to find the true spam source. If your address is spoofed, your server could get flagged as a spam server and you can have trouble sending legitimate mail, even if you aren’t doing anything wrong. This is commonly known as having a bad mail reputation.

Outgoing DKIM works by generating an encrypted digital signature that is attached to email messages sent by your server. This signature is generated using a public key you save as a DNS record. Theoretically, only you have access to your DNS records, so mail signed using this key should be unmodified and verified as coming from your server. If you don’t use your server to send mail, adding DKIM records to your server will have no effect on your mail reputation.

Using Plesk?

DKIM is not natively supported in Plesk 12. Instead, Plesk uses DomainKeys. If you’d like to use DKIM, it is supported with certain Plesk MailEnable plans. If you specifically need DKIM, contact our Heroic Support team to learn more about MailEnable.

There are three parts to enabling DKIM:

Generating Your DKIM Key

1. On a cPanel server, generating a DKIM key is easy! cPanel does it for you.

2. Log into the cPanel account with email accounts where you’d like to enable DKIM. DKIM records are tied to a domain, you each domain you email from will need its own record.

Scroll down to Email and click on Authentication.

3. On the Email Authentication page, you’ll see two different methods: DKIM and SPF. We recommend using both, but this walkthrough will only cover DKIM. We have a separate article on SPF records. In the DKIM section, click Enable if DKIM is disabled.

4. Once you enable DKIM, you’ll see a field that shows your current raw DKIM record. This is the public key you need to add to your DNS records.

default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGm4KfaLQsOiNqfNGT0DDa+XE+TmIyr03F3/AMU8SXFwgItBU/PikYTmIyr07yhQoqlPrSL27l8XHf8AMIIB1LtxU2/490wRkuu9ZorEjRkIXSbev1GyAinBQNa5Rln2S+8AMIIBhZzfkNw7panbVJ0HPREiZAJ5TQEX1LjTqB/nArmNaMXaRUCwmYzGY45z8" eW2BJMM7Ftsj3nOTmIyr0LFSL27l8OaMDdcvpCglrFWoF1dXA78ORuvMSL27l8A5+UWRFBQ4NP6awWYj2LTSyeNeTlafawRk2B3C/dNcwpoLjz3T1wBHctcLnuC13+nMzzyUtgIVgz/7Ka8AMIIBQIDAQAB\;

Copy this record and paste it into a text document to prepare for the next step: adding your DKIM record to DNS.

Adding Your DKIM Key to DNS

Now that you’ve generated your DKIM record, you need to add it to your DNS records. These directions are different depending on where your DNS is hosted:

If you don’t know where your DNS is hosted, read our article on how to find out first!

Your DNS Is Hosted at Liquid Web

If you are using Liquid Web’s nameservers, you can update your DNS records right in your Liquid Web account. Liquid Web’s nameservers are:

  • ns.liquidweb.com
  • ns1.liquidweb.com
  • ns.sourcedns.com
  • ns1.sourcedns.com

As long as your domain is using one of these nameservers, you’re good to go!

1. Before you begin to add your DKIM record to your Liquid Web account, there is a small amount of formatting to do. The text portion of your DKIM record should look similar to below.

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGm4KfaBhFDhZzfkNw7pan+XE+TmIyr03F3/AMU8SXFwgItBU/PikYlddmgf7yhQoqlPrUMEqPZXHfIE8uGg1LtxU2/490wRkuu9ZorEjRkIXSbev1GyAinBQNa5Rln2S+AeBhFDhZzfkNw7panbVJ0HPREiZAJ5TQEX1LjTqB/nArmNaMXaRUCwmYzGY45z8" eW2BJMM7Ftsj3nOPYRbYxLFCzroSSOaMDdcvpCglrFWoF1dXA78ORuvMSL27l8A5+UWRFBQ490wRkuu9ZorEjRNeTlafawRk2B3C/dNcwpoLjz3T1wBHctcLnuC13+nMzzyUtgIVgz/7KaGQv5rnQIDAQAB\;

Some punctuation needs to be removed to format this record correctly.

  • Remove the quotation mark at the beginning of the record.
  • Remove the space and quotation mark in the middle of the record.
  • Remove the slash and semicolon at the end of the record.

With those few edits, you’re all set to load your DKIM record into your Liquid Web account.

2. Log into your Liquid Web account.

3. In the left navigation menu, click on Domains.

4. The Domains Dashboard has three tabs along the top. Click on DNS.

5. Scroll down to Current DNS Zones and click the [+] next to the domain where you’re adding the DKIM record. You’ll see a list of your current DNS records. At the bottom of that list, click on Add a New Record. Now, you can follow the steps you’d normally use to add a DNS record.

6. The first field in your new record is for the subdomain. In this field, enter the first part of your record:

7. The second field is the time to live, or TTL. This is how quickly new changes will take effect. You can match this to your other DNS records.

8. Now, choose TXT from the Type dropdown menu.

9. The last field is the data field. Here you’ll copy and paste the rest of the record cPanel created for you.

10. Click the green checkmark to save your DNS record.

Now that your DKIM record has been added, all that is left is to add a TXT policy record.

Your DNS is hosted on the same server as your email

If you are using private nameservers on the same server as your email, cPanel will set up your DKIM records automatically! So, once you follow the steps to auto-generate your DKIM record, they are automatically added to your DNS zone in WHM. Just confirm they are correct in WHM.

  1. Log into WHM.
  2. In the search bar above the left navigation, search for “DNS.” Then, click on Edit DNS Zone.
  3. Click on the domain where you auto-generated the DNS record in cPanel, then click Edit.
  4. Scroll down and check to see that your DKIM records are included. If they are, you’re all set!
  5. If the SPF record isn’t there, simply add a new record by copying and pasting the DKIM record information into a new TXT record.

Now that your DKIM record has been added, all that is left is to add a TXT policy record.

Adding a TXT Policy Record

A policy record is a DNS TXT record that talks more generally about DKIM on your server. It shows your server uses DKIM verification and makes DKIM work more smoothly. A policy record is just one more DNS record. Wherever you added the DKIM DNS record, you’ll also add the policy record.

There are different tags that make up the text of a policy record:

  • t=y; tells other servers your domain is testing DKIM. This means if your DKIM isn’t working properly, other servers are less likely to reject your email.
  • o=~; means that some of your mail is signed by DKIM, but not necessarily all. o=-; means all your mail is signed by DKIM. So, if another server receives a message that isn’t signed, it will be rejected.
  • n=your information here; is a note. It doesn’t affect DKIM, but you can use it to explain more about your specific DKIM. This will show up in error logs if something DKIM verification fails.
  • r=postmaster@mysite.com; is the responsible email address for this domain. Use an email address you can access on your server.

Most likely, your policy record will look like this.

_domainkey IN TXT "t=y; o=~; n=Interim Sending Domain Policy; r=postmaster@mysite.com"

Using t=y; and o=~; will help your email be delivered even if the DKIM signature gets broken in transit from your server to the receiving server. Of course, replace “postmaster@mysite.com” with the responsible email address.

Entering your policy record is the exact same procedure as entering any other DNS record. Wherever you entered your domain-specific DKIM record is also where you should enter your policy record: either in your Liquid Web account interface, in WHM, or in the control panel of your external DNS provider

You’ve successfully created a DKIM record for your domain! You can check to make sure it’s working by sending a test message from a domain email account to check-auth@verifier.port25.com. You don’t have to include a subject or any body text. You’ll receive an automated reply with the status of DKIM, as well as other services you may have.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article