Implementing DKIM

MailRoute recommends the use of DKIM, a system designed to detect email spoofing.  DKIM verifies that an email sent from a domain is in fact sent by the owner of that specific domain.  The idea behind DKIM is to stop forged sender addresses in emails otherwise known as phishing or spam.

How it works:

Each email using DKIM contains a digital signature which verifies the signer's public key published in the DNS.  This valid digital signature assures that some parts of the email have not been modified since the signature was affixed.  

If you are having MailRoute signing your outbound mail, you will need all other sites that might be sending mail outbound for you to support DKIM too (Please see below for a list of DKIM supporting sites)


Implementation Steps:

- Get DKIM actively running with all your outbound mail and MailRoute will set up your DKIM keys for your domain  and provide you with DNS changes you will need for MailRoute.  

- You'll need to add a couple DNS entries for your domain. They are in bind format however if you use a different nameserver, you should be able to easily convert these. Note that they key record is long, so to meet DNS requirements, it's broken into separate strings. If your nameserver accepts one long string, you can just concatenate all the strings in the TXT record below.

* Please note: If you have multiple domains, you will need to make these changes for each domain.

- Once all of your outbound mail sites are up and running, you can set DMARC and ADSP records, and then forged mail should be stopped cold.

- We will start off in "testing" mode so we can be sure everything is working just right. Once we know all looks good in a day or two, we can move out of testing mode and you'll see full effect of DKIM.


In addition, you must add DNS entries that inform recipients what to do when something fails a DKIM and/or SPF check.

There are two systems for this - ADSP, which is rather old, and DMARC, which is the latest and greatest. We recommend setting up both.

ADSP is simple. For each domain, add a record like this, changing "" to your own domain:   IN   TXT   "dkim=unknown"

Once we leave testing mode, you will update this record to look like this - this will instruct MailRoute and others to drop mail that is not properly DKIM signed.   IN   TXT   "dkim=all"

DMARC is newer, and more full-featured, but also much more complex - you must set up monitoring addresses to properly manage feedback from recipients. We recommend for dmarc-related services. They have information for building proper DMARC records, and can provide a service to parse and manage feedback reports.

If you support only ADSP, you'll enable the forgery protection at MailRoute. Setting up DMARC will help outside people know if email from your domain is potentially forged.



If you're using other services that may send email on your behalf, be sure to check out their own DKIM implementations. Here is a list of some DKIM supporting sites:

Zendesk supports DKIM signing of outbound mail:

So does Office365:

Google Apps - G Suite:
Amazon Web Services:
Host Gator:
Mail Chimp:
Have more questions? Submit a request


Please sign in to leave a comment.