What is it?

DKIM is a development of "DomainKeys" from Yahoo and "Identified Internet Mail" from Cisco, hence the name DKIM. DKIM is a method of verifying the email sender is who they say they are. Its purpose is to prevent email spoofing.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

How does it work?

  1. The sending domain publishes two TXT records to their DNS record. One record is their public key, the other is the DKIM Policy.
  2. The outbound email contains a DKIM signature generated by the sending mail server.
  3. The public key is used by the recipient mail server to verify the DKIM signature.

How to get DKIM working in SpamTitan

  1. Go to Settings > Relay Settings > DKIM on your Outbound Cloud Interface. You should see a list of the domain relays.
  2. Click the edit button beside a domain. A new pane titled "DKIM:yourdomain" will pop up.
  3. From the second tab (Domain Key) of the new pane, enter a selector name (anything you want) and click the generate button.
  4. Go back to the first tab (Options) and copy the info from the DNS TXT Record text area.
  5. On your DNS server, create a TXT record called selectorName._domainkey.yourdomain (replace selectorName with the actual selector name from the DKIM record you created on the SpamTitan server). Paste the info and remove extraneous formatting. It should look something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDj1nxgYYFKNXBqMi/81QS+oG5NklPwtNQxksU3B9sBN8E37+dlGIV+YEjj6cpwBCc0z+RXjTuM6e6wwjBLo/ds9HX654OyBDmwKkyyl0EWgIF8HUNcTmL2tBln5NxJvygoceJ9FtqLLUVN75PNt74ykZQxMhZEZNY+VPJM/URaQIDAQAB

6. On your DNS server, create a TXT record called _domainkey.yourdomain. This is the "Policy record"

Policy records

A domain name using DomainKeys should have a single policy record configured.  This is a DNS TXT-record with the name "_domainkey" prefixed to the domain name - for example "_domainkey.example.com".  The data of this TXT-record contains the policy which is basically either "o=-" or "o=~".  "o=-" means "all e-mails from this domain are signed", and "o=~" means "some e-mails from this domain are signed".
Additional fields for test (t), responsible e-mail address (r), and notes (n) may also be included - for example "o=-; n=some notes".

For example:



7. Go back to the options tab of the "DKIM:yourdomain" pane and click the "verify" button. If SpamTitan can retrieve the DNS TXT record and if it matches what is specified in SpamTitan, the verification will succeed.