Adding a DKIM record to your DNS

Adding a DKIM record to your DNS is quite simple.

First, your create a key pair with openssl:

openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key

Your public key looks now like:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpS
ZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGL
PD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvx
sbkccjUxLKw1YomX0QIDAQAB
-----END PUBLIC KEY-----

Now you convert this output to one single line:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpSZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGLPD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvxsbkccjUxLKw1YomX0QIDAQAB

This line you will use as public key in your DNS record.

Next, add two txt records like

_domainkey.domain.com          IN TXT o=!;r=postmaster@domain.com
selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>

Which means:

  • o=~ the server signs some mail
  • o=- all mail is signed, but unsigned mail should be accepted
  • o=! all mail is signed, do not accept unsigned mail
  • t=y I’m still testing
  • v=DKIM1 we use DKIM version 1
  • k=rsa it is a RSA key
  • r=<x@xx> report problems to this email address
  • p=<public key> this is the generated public key

As long as you use keys with 1024 bits, this works fine. Using longer keys you exceed the string size limit of TXT records of 255 bytes. In this case you have to split the information in the TXT record into multiple strings, smaller then 255 bytes.