The instructions in this article are directed to customers using the following Valimail products: Enforce, Align, Essentials, DMARC Core, and DMARC Pro.
DKIM (DomainKeys Identified Mail) is an email authentication protocol that helps verify that an email was sent by an authorized sender and that its contents were not modified after it was sent. DKIM is used alongside SPF to support DMARC and improve protection against spoofing and phishing.
To enable DKIM, your email service provider will generate one or more DNS records that must be published for your domain. These records may be provided as TXT records or CNAME records, depending on the sender's implementation. This article explains how to publish those DKIM records in Valimail Enforce.
To manage your DKIM records through Valimail Enforce, you'll first need to configure your DNS to allow Valimail to manage DKIM on your behalf. Follow the instructions from this article to point your domain's DKIM record to Valimail.
Publishing a DKIM record in Enforce
1. Log in to your Valimail account.
2. Click on DOMAINS in the side menu.
3. Click on the domain name from the list.
4. Click on the +DKIM key button.
Complete the form with the required information. Expand each section below for additional guidance and field-specific details.
1. Selector
1. Selector
The DKIM selector is the portion of the DKIM DNS record that appears before ._domainkey. For example, if your email provider instructs you to create a record named: google._domainkey.example.com
The selector is google
Your email service provider will supply the selector as part of their DKIM configuration instructions. If multiple DKIM records are provided, each record may have a different selector.
2. Associated Service
2. Associated Service
Select the sending service that uses this DKIM record from the Associated Service drop-down list. This association helps you easily identify and manage your DKIM records, but also improves email classification in the Authentication Reports.
This step is optional. If the DKIM record is used by an internal email application or a sender that is not listed, you can leave the Associated Service field set to Unassigned.
3. Record Type
3. Record Type
Select the record type specified by your email service provider: TXT or CNAME. The correct record type must match the DKIM record provided by the sender. You can identify the record type by the value provided:
TXT record example
Host/Name: selector1._domainkey.example.com
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA...
TXT records contain the DKIM public key directly and typically begin with v=DKIM1.
CNAME record example
Host/Name: selector1._domainkey.example.com
Value: selector1-example._domainkey.onmicrosoft.com
CNAME records point to another hostname and typically contain a domain name rather than a long string beginning with v=DKIM1.
4. Public Key / CNAME Target
4. Public Key / CNAME Target
Enter the value provided by your email service provider. For TXT records, enter the Public Key. For CNAME records, enter the CNAME Target.
The value you enter should match the information supplied by the sender exactly. Refer to the examples in Step 3 to help identify whether the value is a DKIM public key (TXT) or a target hostname (CNAME).
5. Domain Owner Email and Sender Owner Email (OPTIONAL)
5. Domain Owner Email and Sender Owner Email (OPTIONAL)
These fields are available only in the Enterprise tier of Enforce.
Optionally, you can provide the name or email address of the Domain Owner and Service Owner. This information is stored as metadata and can help your team identify who is responsible for the domain and the associated sending service.
Maintaining this information can make it easier to manage DKIM records over time, especially when troubleshooting issues, reviewing configurations, or transitioning responsibilities to other team members.
6. Comment (OPTIONAL)
6. Comment (OPTIONAL)
You can use the Comment field to add any relevant notes about the DKIM record, such as its purpose, special configuration details, ticket references, or other information that may be helpful for future administration.
Maintaining this information can make it easier to manage DKIM records over time, especially when troubleshooting issues, reviewing configurations, or transitioning responsibilities to other team members.
7. Advanced Options
7. Advanced Options
The Advanced Options section contains additional settings that are only applicable to certain DKIM configurations.
For TXT records that include the t=s tag, you can enable Only allow exact domain signing. This setting indicates that the DKIM key is restricted to signing messages for the exact domain specified in the record and should not be used for subdomains. In most cases, Valimail will automatically detect this restriction from the DKIM record value.
Do not enable Only allow exact domain signing if the TXT record does not contain the t=s tag in the value.
Examples of DKIM records published in Enforce
TXT record example
Host/Name: google._domainkey.example.com
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0dlF4TlMmgziFR353JmENl6iDVjCKeRu4Lbhq5N0vxSYcHr95msOImPHsvEujdrLqkOC4UnBVcSdmGefxZ5iIvLAi0ZTT8S/5Ee6MZmw5lA6JonDtiILun3hGepxCUfVyTmgwx8HgcizmDp5lazQ8iv+B2eiOmO6KdIqKtUQkH34cVOudw7yvmEQTEs5+i+aCpK4HDgBvae+PiVgvcGLJlBvqua0lGhRHIyD5sRG+dqqJrxpGzDyPpbl3OK1ZAj2GIteyv11jnVSNXph/GzoO9r8r8MeOxiKdHZgryFoJ+vBus91G+1slqK399UlaTmNfVBf8PwTJO/f3YeLle6uRwIDAQAB
Associated Service: Google Workspace
CNAME record example
Host/Name: selector1._domainkey.example.com
Value: selector1-example-com._domainkey.netorgft20184589.w-v1.dkim.mail.microsoft
Associated Service: Microsoft Office 365
Need help? If you have questions about publishing DKIM records or encounter any issues during setup, contact Valimail Support at [email protected].