Many of our customers have hosted DNS, that is, the domain registrar from which they have purchased their corporate domain(s) also hosts their DNS zones, and these customers typically edit their zone file via a web-based GUI.  In that case, for this and for each of the following examples, simply enter the appropriate information in the GUI and follow the registrar’s instructions to save and propagate it.

Other customers (generally large corporations or academic institutions) are more likely to run their own DNS servers, and will have to edit the appropriate zone file in the usual way.  

In either case, this section is intended only to provide examples of the information you will need to create your DKIM records, and general DNS advice applicable to both cases above.  Editing zone files is beyond the scope of this document and customers in the first case, above, should consult their ISP’s support for assistance, whereas customers in the second case are urged to consult the DNS/BIND documentation for their particular implementation of DNS for guidance.

Important: Please be aware that the examples provided below are not intended to be used “as-is”; you must substitute the correct information for your site or DKIM will not work.  In particular, please note that the public and private keys in these examples are purposefully invalid and cannot be used to create live DKIM records.

12.2.1 Creating a DKIM TXT selector record in DNS


Creating a DKIM TXT record can be done in various ways.  If you run your own DNS, simply edit your forward zone file to include a TXT record.  We will assume for this exercise that the LISTSERV host name is “listserv.example.com”.  You will need to enter the following information:

Host:

default._domainkey.listserv

TXT Value:

v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ

KBgQDcARWuStG7G33L+M5jqjiCbhfKBlgxIMC8Of5ODONOTUSE

THISKEYITISANEXAMPLEONLY91O1RigBB/C+UXzPO+N1+hZ55Z

XS8MPGPgaV9VM1EysEdyfm2Y/rn935GGJwtm67fz+6dyKkCAzL

sMjR5DvcxxlMzf6Gs9TrX7PBNwIDAQAB

TTL:

Your preference, but typically 1 hour


Notes:

    1. When creating a new record in a DNS zone file, the host name usually is not fully-qualified.  If you are editing the zone file for the example.com zone, it should not be necessary to enter the fully-qualified domain name in the “host” section.  Be sure to check the documentation for whatever DNS you are running if this is unclear.
    2. We are assuming a DKIM selector value of “default”.  For the purposes of DKIM authentication, external sites will always check DNS for a TXT record belonging to “selector”._domainkey.”hostname”.  In our example, external sites would be looking for the TXT record belonging to default._domainkey.listserv.example.com .  Note that the underscore before “domainkey” is required.
    3. The TXT value should not break and wrap as shown.  It should be one continuous line of text.  The value of “p=” is the text of the public key from between the lines

      -----BEGIN RSA PUBLIC KEY-----

and 

-----END RSA PUBLIC KEY-----

Those lines should not be included as they are not part of the public key.

    1. If your key has banners reading "BEGIN PUBLIC KEY" and "END PUBLIC KEY", you have generated PKCS#8 keys and must start over and generate PCKS#1 keys as explained in the preceding chapter.

12.2.2 Creating a DKIM TXT policy record in DNS


Note: The policy record is an artefact of the original Yahoo! DomainKeys implementation and is no longer required in any way by the current RFC 6376 "DomainKeys Identified Mail (DKIM) Signatures" standard.  You may freely ignore this section, but it remains for historical purposes.


Again using our “listserv.example.com” example, you will enter the following information:

Host:

_domainkey.listserv

TXT Value:

o=~

TTL:

Your preference, but typically 1 hour


The “Host:” field is slightly different this time.  The policy record does not require the selector “default”, so we leave it off.  Note that the underscore before “domainkey” is required.

The “TXT Value:” field contains the policy to be applied to DKIM lookups.  The value we’ve provided above means that “some” outbound mail from (in the example case) listserv.example.com will be signed with DKIM.  This is the default, and L-Soft’s recommended setting.