Configuring DNS records for DomainKeys / DKIM

Spam and Phishing

DomainKeys is a spam and phishing scam fighting method which works by signing outbound e-mail messages with a cryptographic signature which can be verified by the recipient to determine if the messages originates from an authorized system.
The process of signing outbound messages and verifying this signature is typically done by the e-mail servers at each end - not by end-users client software.

DomainKeys uses DNS TXT-records to define DomainKeys policy and public encryption keys for a domain name.
DomainKeys is developed and patented by Yahoo!. For details please see http://domainkeys.sourceforge.net/

DKIM is an extension of DomainKeys which uses the same style DNS records.
For details see http://www.dkim.org

There are basically two types of DNS records used by DomainKeys; policy records and public key records:

1) Policy records:

A domain name using DomainKeys should have a single policy record configured.
This is a DNS TXT-record with the name "_domainkey" prefixed to the domain name - for example "_domainkey.example.com".
The data of this TXT-record contains the policy which is basically either "o=-" or "o=~".
"o=-" means "all e-mails from this domain are signed", and "o=~" means "some e-mails from this domain are signed".
Additional fields for test (t), responsible e-mail address (r), and notes (n) may also be included - for example "o=-; n=some notes".

In Simple DNS Plus such a record would look like this:

Image1.png

Receiving e-mail servers check this policy record to find out to what extent the sender domain name uses DomainKeys (if there is no such record, the domain does not use DomainKeys).
Based on this, the receiving e-mail server might reject or flag un-signed messages from this domain name.

2) Public key records:

An e-mail message signed with DomainKeys will include a header item "DomainKey-Signature" containing the cryptographic signature and a few other fields including a "selector" (s=) - for example:

DomainKey-Signature: a=rsa-sha1;
s=newyork;
d=example.com;
c=simple;
q=dns;
b=dydVyOfAKCdLXdJOc8G2q8LoXSlEniSbav+yuU4zGffruD00lszZVoG4ZHRNiYzR;
For the receiving e-mail server to verify this signature, it must first obtain the public key for the selector value.
For above example, this is stored in a DNS TXT-record with the name "newyork._domainkey.example.com".
In other words, the name of this TXT-record is the selector (s=...) + ._domainkey. + the domain name.
The data of this TXT-record is in the format "k=rsa; p=MHww..." where value after p= is the public key.
Additional fields for granularity (g), test (t), and notes (n) may also be included (see specification for details).

In Simple DNS Plus such a record would look like this:

Image2.png

The selector value ("newyork" in above example) may be a fixed value used by your e-mail server software, or you may be able to configure multiple selectors for example for different branch offices or individual e-mail servers.
The important thing is that for each selector used to sign outgoing messages from your domain name, you setup a separate TXT-record in DNS.
The public key value is typically generated by a function in the e-mail server software or by using a tool such as "openssl".
The public key must of course match the private key used by the e-mail server software to sign outgoing messages.

Please note: There is a similar and currently more widely adopted system called SPF (Sender Policy Framework), please click here for details.

Add Feedback