ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Configuring DKIM signing for outbound mail


Article ID: 171225


Updated On:




What is DKIM?

DomainKeys Identified Mail, or DKIM, is a technical standard (RFC 6376) that helps to protect
email senders and recipients from spam, spoofing, and phishing. DKIM is a form of email
authentication that allows an organization to claim responsibility for a message in a way that
recipients can validate. DKIM uses public key cryptography to verify that an email message
was sent from an authorized mail server. It works by adding a digital signature to the headers
of an email message. Recipients can then validate that signature against a public cryptographic
key in the sending organization’s DNS records.


Configuration of DKIM signing for outbound email

You use the controls on the Outbound DKIM Signing Settings page to search for your registered domains and add new selectors to them. You also use these controls to change (or rotate) active selectors, and test that you have correctly entered DKIM signatures in your public DNS records.

Requirements for configuration of DKIM signing:

■ ClientNet administrators must have both View Config and Edit Config roles for all services.
■ Domains must be registered in ClientNet. Outbound IP addresses must be registered in ClientNet. For hosted providers, SPF checks must pass.
■ For DKIM selector names, only alphanumeric characters (a-z and 0-9) are supported.
■ You must add at least one selector before DKIM can be enabled for a domain.

Step 1: Add a selector to a domain

  • On the Outbound DKIM Signing Settings page, locate the domain to which you want to add the selector. Enter the domain name in the Search box, or scroll through the domains with the Previous Page/Next Page arrows.
  • Click the domain name to select it. A new dialog box with the domain name at the top appears.
  • Click Add New, and ensure that the radio button to the left of the new selector item is selected
  • Enter a name for the selector (alphanumeric characters only). Symantec recommend usage of the date in the selector name to make it easier to rotate selectors in the future.
  • Select a key length from the DKIM Key Length drop-down list. The longer the key, the more secure it is--select the longest key that your DNS provider supports.
  • The two DNS TXT record fields are automatically populated. Click Save to save the values, but do not close the dialog. The dialog must stay open so that you can copy these values into your public DNS record in the next step.

Step 2: Update the public DNS record

  • With the domain name dialog box still open, navigate to the public DNS TXT record for the domain.
  • Click the Copy to Clipboard icon to the right of the Host Name field. Follow your DNS provider's instructions to paste the value to the relevant field in your DNS record.
  • Click the Copy to Clipboard icon to the right of the TXT value field. Follow your DNS provider's instructions to paste the value to the relevant field in your DNS record.
  • Click Close to close the domain name dialog box.
    • Note: It can take up to 72 hours for a DNS record change to propagate throughout the Internet. Propagation must be complete before DKIM can be enabled for this domain.

Step 3: Verify propagation and then enable DKIM for the domain

  • To be certain that the updated DNS record has propagated, on the main Outbound DKIM Signing Settings page, click the domain name. The domain name dialog box appears.
  • Ensure that you have selected the appropriate selector. Then click Test to perform a DNS lookup to check whether the DNS TXT record matches the active selector in the portal.
  • If the test succeeds, then close the domain name dialog box to return to the DKIM Signing Settings page. Use the slider in the DKIM Enable column to enable DKIM for that domain.

Further Troubleshooting:
■ Have you waited 72 hours for your new record to propagate?
■ Can you find your DNS record with a DNS lookup tool, and does it appear to be correct?
■ Does the record you found with the lookup tool match what is displayed in the portal?
■ Ensure that semi colons (;) are used to separate the different tags (v; k; t; and p;) in the TXT record.
■ Verify that there are no spaces between the characters in the P= string.