The features and instructions below are available only in the Valimail Enforce and Align products.



DKIM is an internet standard that is one of the two ways you can authenticate emails for DMARC. It can be used to prove not only that an email is from who it says it is from but also that the email has not been modified in transit.


There are two types of DKIM keys: TXT and CNAME records. The service that will generate the DKIM keys will specify what type of record the key will be. 


Sample TXT DKIM key:


Record Name: abc._domainkey.yourdomain.com

  • The part in front of ._domainkey is the SELECTOR 

  • After ._domainkey you have the domain or subdomain that owns the record. 

Record Type: TXT

Record Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8XzjQk7VuhGE+u6hGVVgJ75C4heUBOVJ/EW+KYjVut36h0NnGWxwLi+G6Twm1jpKnUuyTM4/cvPh1POJt8feYLRkbBRBEsgDgP5gnkNWpK1REp730dDYYEZyF6rwPEAJulx3yEONh81xsi6bWP4RcSl+enVEIKEPK93syZ2ZPrQIDAQAB"


Sample CNAME DKIM key:


Record Name: abc._domainkey.yourdomain.com

  • The part in front of ._domainkey is the SELECTOR 

  • After ._domainkey you have the domain or subdomain that owns the record. 

Record Type: CNAME

Record Value: selector2-yourdomain._domainkey.thirdpartyserver.com 

(The only difference between a CNAME record type DKIM key is the Record value)


The record value of a CNAME type DKIM key will point to a 3rd party server (Microsoft, Google, Mailchimp), which is the one that will respond with a TXT value for the key.




Add a DKIM key in Enforce/Align


1. Go to your domain's Configuration page in Valimail Enforce/Align and publish the newly created DKIM key/s.


2. Click on the + DKIM Key link.




a. If the DKIM key is a TXT key:

Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with it's proper service and then click Add DKIM Key.


b. If the DKIM key is a CNAME key:

Enter the selector name, CNAME target value, associate the key/s with the proper sending service and then click Add DKIM Key.




Advanced Options


  • Only allow exact domain signing (t=s): this ensures that the DKIM signature is only valid for emails sent from the exact domain specified in the DKIM record. This helps prevent unauthorized third parties from sending emails with a forged or spoofed sender domain. If the vendor issued the DKIM key with the t=s tag, then the Only allow exact domain signing (t=s) box under Advanced Options must be also checked before publishing the key - otherwise the key cannot be verified/enabled on the vendor's end.