DKIM is a way of 'signing' emails to prove they came from you. It is a form of email authentication that works via a digital signature and makes it easier to identify spoofed emails. The sending mail server signs the email with the private key, and the receiving mail server uses the public key in the domain's DNS information to verify the signature. One domain can have several DKIM keys publicly listed in DNS, but each matching private key is only on one mail server.
Example of a DKIM record
If you're using regular DreamHost-hosted mail service, all the pieces used by DKIM are already in place. DreamHost automatically makes the DKIM DNS record for all domains and subdomains that use DreamHost email, and you can view it on the panel's Manage Domains page. Click the link under your domain to list your DNS records.
The DreamHost mail server DKIM records will look like these, both identifiable by_domainkey in the record and type TXT:
k=rsa; t=y; p=GIMfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfVzZoj6YZph/1oTroL1NhkfHmMgZy uUyNBRVVPkXzQaeZMHMC+S+KxVP7TUPPQYZ6CKSELzqDwjv9jz10u3zx1eB+Bmqc8cYA2oxZdda3EaJ/LEYtI A1auXxHzY2qaElIToSLrV97il19F3m4p6V5M6Yho9zxfIfrlTHSECLsrQIDAQBA
When you send emails through the mail server, they will be automatically signed. Most emails are sent through the mail server; webmail, mail client programs – anything that uses SMTP to send emails sends them through the mail server.
What if my nameservers aren't hosted at DreamHost?
If you're using DreamHost-hosted mail service, but not DreamHost's nameservers, you'll need to take the DKIM DNS records from the DreamHost panel and enter them into the system where your domain's DNS is actually managed.
What if my email isn’t hosted at DreamHost?
If you're using another mail provider for your domain's mail service, that mail provider may offer DKIM signing. If you send email through other mail servers, such as a mass-mailing service, those servers may provide DKIM signing too. Contact them to see if they offer DKIM and if they can provide the DNS entries to you.
The following links to DKIM information customers often use:
Be careful when copying and pasting the DNS records into the panel, and make sure that there are no spaces in the key itself. Even though the DNS records will be accepted in the DreamHost panel, your emails will fail the DKIM check if the key contains spaces.
Multiple DKIM records
A domain can have as many DKIM public keys as servers that send and sign mail.
There are two types of DKIM DNS records:
- The policy record contains information about the DKIM signing policy and the email address of the postmaster. There should only ever be one of these.
- The DKIM DNS record with the long string of gibberish is the public signing key. A domain can have many of these as it has servers with private keys that sign emails. Each of these should have a selector that uniquely identifies it. If there is just one, it may have no selector at all, just "_domainkey". Additional ones would use selectors to keep them all separated, for example, "list._domainkey" and "bananas._domainkey".
Selectors are how receiving servers know which public key to use for an email and which corresponding private key was used to sign the email. More information about selectors and DKIM DNS records can be found on the following pages:
Using DKIM with sendmail and PHP Mail
Automatic DreamHost DKIM settings are not enabled if you're using Sendmail or PHP Mail to send email. This means that if you use a WordPress newsletter plugin that sends email via sendmail or PHP Mail, you have two options to use DKIM records:
- Configure WordPress to use SMTP when sending email. Some newsletter and contact form plugins have SMTP built-in, or there are plugins that add SMTP support to WordPress.
- Manually install and configure DKIM. You can install it yourself on your Dedicated Server with an admin user or DreamCompute. Please note that DreamHost cannot provide any support regarding manually-installed DKIM software.