We’ve developed some resources to help you work effectively from home during COVID-19 Click here to learn more

Order a DKIM key and set up DKIM

In this article

    How to order a DKIM key from SuperOffice, and how to set up DKIM?

    What is the purpose of DKIM record?

    A DKIM record is a type of Domain Name Service (DNS) record that the receiving email servers can if they like, look up your public key and verify that nothing has changed in the email, and confirm that a message came from you.

    Allow this by adding an MX record in your DNS zone (public key signing process), and sign all your emails you send (private key signing process).

    DKIM (Domain Keys Identified Mail) should be considered a method to verify that the messages' content is trustworthy, meaning that they were not changed from the moment the message left the initial mail server. 

    This involves using a private domain key to encrypt your domain's outgoing mail headers, and adding a public version of the key to the domain's DNS records. 

    To add a digital signature to outgoing mail, you generate a domain key that Mailgun uses to create signed mail headers that are unique to your domain. You add the public key to the Domain Name System (DNS) records for your domain. Recipients can then verify the source of a mail message by retrieving your public key and using it to confirm your signature.

    Not all receiving mail servers support the DKIM standard.


    Why is it Important?

    You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. 

    This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. The owners of the domain add a DNS entry with the public DKIM key, which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn't been changed along the way.

    Not all receiving mail servers support the DKIM standard.

    Read more about DKIM in  Mail - Options and security

    How do you set up DKIM Record?

    Overview of steps

    1. Order the public domain key for your domain.
    2. Add the key to your domain's DNS records so recipients can retrieve it for reading the DKIM header.
    3. Tell SuperOffice DKIM is set up - to turn on email signing to begin adding the DKIM header to outgoing mail messages


    Before creating the DKIM record for your domain, it is important to find out what the server address for the mail service to be authorised (which is going to be permitted to send emails on your behalf ).

    In this tutorial, DKIM record will be set up for Google Apps. We will use:

    • MailGun as our mail service (the email service to use to send the email - permitted to send email on behalf of your domain)
       
    • Google G Suite domain email address to "send as" (your ‘domain’ as the sending email - iow. what you see in 'from' address in your mailings and email)

      Note! This Google account's domain is hosted by Enom. Your domain settings and DNS may differ. Please contact your DNS support team for assistance.


    Below you will find the instructions on:

    1. How to order a DKIM key for your domain name

    2. How to open the domain settings for the Google domain

    3. How to add the DKIM record

    4. How to test a new DKIM record

    5. Verify back to SuperOffice

     

    1. How to order a DKIM for your domain name

    To be able to create a DKIM for your domain name, we need to know your domain name.
    To make sure no one else, besides your company orders a DKIM key for your domain name,
    we need to make sure you are the owner of this domain name.

    1. Fill out this form and submit it: DKIM ORDER FORM
    2. We will reply with the DKIM to the submitted email address
    3. You will now need to add this DKIM to your DNS, see next step.

    2. How to open the domain settings for the Google domain 

    1. Log in to Google with your Google Administrators account, and open your Google Admin section:


       
    2. Open Domains.



      Note! The icon for opening Domains may be hidden by default and is then found under More controls.


       
    3. Under Domains, open Add/remove domains


       
    4. Click Advanced DNS settings to see your details.



      Note! This tutorials Google account's domain is hosted by Enom. This can be different for your Google account.
       
    5. Click Sign in to DNS console to open the DNS console window. You may have to sign into this DNS console with a separate DNS account.



     

    3. How to add the DKIM record

    1. Go to Host Records in the DNS console. The existing records for your Google account are there by default.


       
    2. We want to add the DKIM record from mailgun.org. Click Add New to add the new DKIM record. 

      Note! Some DNS servers may require ie. "version of DKIM". Add this by adding "v=DKIM1; " in front of the key:
      Example: "k=rsa; p=XXX..."  -->  "v=DKIM1; k=rsa; p=XXX..."

      Add "Host name" value ("pic._domainkey.[yourdomainName]") you received from us.
      Add "Address" value ("v=DKIM1; k=rsa; p=XXX..") you received from us (see note above)
      Choose "txt" as record type




    3. Click Save to update the information. 

      Note! Once you’ve added the records and they’ve propagated, it can take 24-48 hours for DNS changes to propagate.

    4. How to test a new DKIM record

    Make sure DKIM is propagated. This can take 24 - 48 hours to complete. Use a tool to make sure the DKIM is propagated:

    Via CMD:
    1) Open Windows Command Prompt:
    Press [Win] + [R],
    type: CMD
    click [OK]
    (a command prompt window opens)

    2) Type: nslookup
    Press [Enter]
    3) Type: set type=txt
    Press [Enter]
    4) Type: pic._domainkey.yourdomainName
    Press [Enter]

    If your key is deployed successfully, it should return your key.

    There are several tools online to use - to test your DKIM record.

    In this tutorial, we have used MX Toolbox. "DKIM Record Lookup"

    1. Open the DKIM tool:


       
    2. Add your domain name and "DKIM Selector" you received from us, and click DKIM Lookup
       
    3. The result should show the values of your public DKIM key data:

     

    5. Verify back to SuperOffice

    Once the DKIM DNS record has been propagated and it tests ok in step # 4, SuperOffice needs to be informed,
    so the new DKIM can be activated and used (signing your outgoing emails). Send your confirmatin as an reply to the mail you received in step # 1. This activation may take a couple of days.