EDIT DEC 14, 2022: It seems I might have missed an important piece of understanding about DKIM. I am currently working on this. If you see this message, my new understanding is this:
- DKIM is handled on the email server
- Therefore, if you are not running an email server and using a 3rd party ESP, then the DKIM private key would need to be hosted / held / executed by them
- As such, if your ESP does not have this, publishing a DKIM public key may in fact **damage** your delivery as the receiving email will be looking for a matching private key. This point here I am still studying and trying to confirm.
- Therefore, a DKIM-ready ESP could be a big consideration if this matters to you. I feel like if you have a DKIM record set up it should not be detrimental if it’s not being used but need someone to confirm with. For example, does the system recognize you have a public DKIM record and give you failing grades for not using it? anyways… Stand by for more as I continue my learning. The good news is that the following blog is correct for setting up.
As you can read about in my other blog post I had set up SPF, BIMI and whatever else but didn’t know how to do DKIM so I quit mid process. However, my colleague just sent me a message letting me know that an email bounced and the bounce report showed DKIM might be the cause. I could no longer procrastinate this task. I hope this journal-style blog post will help you learn a bit about the topic and also set up. I use Digital Ocean for my hosting so I’ll provide some set up tips there too.
There are lots of tutorials out there for various email setup thingies but it seems less out there for DKIM. Probably this is because it requires both a private and public key and looks longer and more daunting compared to other DNS records…
It doesn’t seem like there are any DKIM generator tools in Digital Ocean, but I did land on this blog which might be a thing if you have time for bed-time reading…
You’d think the DKIM people would have their own tool as well, but thankfully I landed back at this tried-and-true powerhouse of email setup called EasyDMARC.com and this time their DKIM generator. (Oh, and if you’re actually interested what DKIM is and how it works check out EasyDMARC’s video . I also wrongly thought my email provider would have a tool or help but webnames doesn’t seem to be surpassingly great here, either…anyways, on with the solution:
Generate a DKIM record
So with ally my blah-blah behind us, here’s a quick way to actually generate some DKIM stuff and get it working…
- Go to the DKIM generator
- Fill in the three fields required: domain, selector and key length.
The domain is easy.
The selector is, from my understanding up to you and basically arbitrary. I just left mine as s1 like the input field default prompt said. The key length is for security which is usually ‘the-more-the-better’ but because I’m just an average guy, I’m going to select 2048 bits, but maybe do your own research on what’s best here?
- Hit the ‘Generate’ Button.
- With the convenient copy feature, it might be wise to scroll down a bit and save both your private and public keys to a safe place (I use KeepassXC for stuff like this).
- Under the ‘Generated results for YOURDOMAIN.com, you’ll see the stuff you need to paste into your server / hosting area. In my case it’s Digital Ocean (they’ve been good to me so far…) so follow along if you’re with them or adjust for your own setup:
Digital Ocean DKIM setup
In your DO hosting admin area:
- Go to Networking
- Go to Domains tab
- Select the domain you just set up DKIM records for
- Under ‘create new record’ select TXT
- Hostname is where I goofed for a long while. The hostname – assuming you are running on a bare domain – would be
s1._domainkey, NOT just the @ sign. In other words, from easyDMARC, you’ll need to copy/paste the front part of your domain with your “selector +_domainkey” as the ‘hostname’ field.
- In the VALUE field, use the nice copy button feature from EasyDMARC and then paste in the long ugly record in
- Click ‘create record’ button. You should receive the ‘record created successfully’ message.
Test to make sure you pass
Now that you’ve entered a record, it’s wise to check regularly to make sure it’s working. And unless you want to wait a full hour plus propagation time, you might want to do what I did which was edit the record you just created and change the TTL time from 3600 down to 300. Then once everything is confirmed working, you can change it back to 3600.
Now go to the EasyDMARC domain scanner.
Punch in the domain name you just set up for DKIM and hit ‘scan now’. You should promptly see how your DKIM status is doing. Fail? You might just have to wait another 300 seconds based on your TTL time above. There might also be propagation time? Not sure too much about that stuff but just try to wait out a few hours to make sure all is good. In my case it was starting to show a green light just a couple of minutes after submitting.
Another old tried-and-true website for testing DKIM is MXTools. Give this one a shot too and see how you do. For this one you’ll add your ‘selector’ which could be just ‘s1’ if you left the default one when you set it up at EasyDMARC.
Hope this was helpful.