How to add a DKIM record to DNS?

Adding a DKIM record is more complicated than adding a SPF record because it needs to create a public/private key pairs and it also needs to install a DKIM software and configure your mail server to cooperate with the DKIM software to sign your emails. The DKIM record is a TXT DNS record whose content is also generated by the DKIM software. So unlike SPF, you need to install/configure the whole set of software before you can add the DKIM record to DNS. We will use Postfix and opendkim as an example to explain how to generate the DKIM record and add it to DNS.

There are tons of posts on the internet about how to install and set up opendkim. None of them tells you how it exactly works but the instructions listed in their posts are basically working.  You can refer to this post about the step by step process to set up opendkim.

install opendkim:

generate public/private keys:

Note that, the opendkim-genkey command generates a key for default selector, which equals to :

You can, however, change the selector to what you want such as:

The generated default.txt will contain a tag “s=email”. Do not confuse it with the selector. The s tag means the services the selector(default) can be applied to.

change permissions and owners of the directories:

configure opendkim:

The main configuration file of opendkim is /etc/opendkim.conf. You need to edit  it to specify your domain, signing table file, key table file, external ignore list file and internal hosts file. All these files have default version in /etc/opendkim/: KeyTable, SigningTable, TrustedHosts. You need to edit these files to specify your domain and the key file locations.

Here is working /etc/opendkim.conf:

Here is the changed part of KeyTable:

Here is the changed part of SigningTable:

Here is the changed part of TrustedHosts

Configure Postfix:

Append the following lines to /etc/postfix/

Restart opendkim and Postfix

 Add DKIM record to DNS

Now absolutely do not copy all the content of default.txt to the TXT record as those posts tell you to do. To create a DKIM record in DNS, go to the control panel of your domain registrar, enter into DNS settings, click “add TXT/SPF record”, fill hostname with default._domainkey, fill TEXT with

which is copied from default.txt. You can omit the “s=email” tag to indicate the selector of the dkim record can be applied to any service.

Do not include double quotes! Do not include line breaks! When you click the submit button, the web form will add a double quote at the beginning of the text and a double quote at the end of the text automatically. Yes, the default.txt shows the TXT record comprises of two character-strings, while you only added one character-string but that does not matter. The mail server retrieving the DKIM record only cares about the content inside double quotes. If you insert double quotes in the TEXT edit box, these double quotes will be escaped by back-end which results in wrong DKIM record syntax.

Test the dkim record

To verify the dkim record you added to DNS, issue the following command:

opendkim-testkey -d -s default -vvv

“key is ok” in the output indicates you have added the dkim record successfully.



Posted in tips of hosting