12.2 Creating DNS records for DKIM
Many of our customers have hosted DNS, that is, the domain registrar from which they have purchased their corporate domain(s) also hosts their DNS zones, and these customers typically edit their zone file via a web-based GUI. In that case, for this and for each of the following examples, simply enter the appropriate information in the GUI and follow the registrar’s instructions to save and propagate it.
Other customers (generally large corporations or academic institutions) are more likely to run their own DNS servers, and will have to edit the appropriate zone file in the usual way.
In either case, this section is intended only to provide examples of the information you will need to create your DKIM records, and general DNS advice applicable to both cases above. Editing zone files is beyond the scope of this document and customers in the first case, above, should consult their ISP’s support for assistance, whereas customers in the second case are urged to consult the DNS/BIND documentation for their particular implementation of DNS for guidance.
Important: Please be aware that the examples provided below are not intended to be used “as-is”; you must substitute the correct information for your site or DKIM will not work. In particular, please note that the public and private keys in these examples are purposefully invalid and cannot be used to create live DKIM records. |
12.2.1 Creating a DKIM TXT selector record in DNS
Creating a DKIM TXT record can be done in various ways. If you run your own DNS, simply edit your forward zone file to include a TXT record. We will assume for this exercise that the LISTSERV host name is “listserv.example.com”. You will need to enter the following information:
Host: |
default._domainkey.listserv |
TXT Value: |
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ KBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5ODONOTUSE THISKEYITISANEXAMPLEONLY91O1RigBB/C+UXzPO+N1+hZ55Z XS8MPGPgaV9VM1EysEdyfm2Y/rn935GGJwtm67fz+6dyKkCAzL sMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQAB |
TTL: |
Your preference, but typically 1 hour |
Notes:
- When creating a new record in a DNS zone file, the host name usually is not fully-qualified. If you are editing the zone file for the example.com zone, it should not be necessary to enter the fully-qualified domain name in the “host” section. Be sure to check the documentation for whatever DNS you are running if this is unclear.
- We are assuming a DKIM selector value of “default”. For the purposes of DKIM authentication, external sites will always check DNS for a TXT record belonging to “selector”._domainkey.”hostname”. In our example, external sites would be looking for the TXT record belonging to default._domainkey.listserv.example.com . Note that the underscore before “domainkey” is required.
- The TXT value should not break and wrap as shown. It should be one continuous line of text. The value of “p=” is the text of the public key from between the lines
-----BEGIN RSA PUBLIC KEY-----
and
-----END RSA PUBLIC KEY-----
Those lines should not be included as they are not part of the public key.
12.2.2 Creating a DKIM TXT policy record in DNS
This record is optional, but recommended. Newer versions of the DKIM specification may actually require it, so it makes sense to go ahead and create it while you are creating everything else. Again using our “listserv.example.com” example, you will enter the following information:
Host: |
_domainkey.listserv |
TXT Value: |
o=~ |
TTL: |
Your preference, but typically 1 hour |
The “Host:” field is slightly different this time. The policy record does not require the selector “default”, so we leave it off. Note that the underscore before “domainkey” is required.
The “TXT Value:” field contains the policy to be applied to DKIM lookups. The value we’ve provided above means that “some” outbound mail from (in the example case) listserv.example.com will be signed with DKIM. This is the default, and L-Soft’s recommended setting.