DomainKeys is an email authentication protocol developed by Yahoo in attempts to stop the abuse of identity by spammers and phishers.
Published Standard: RFC 4870
This standard is was superseded by DKIM - RFC 4871
- Eventhough this standard is superseded many mail servers (old and new) still use this standard
and it should still be implemented, if you have the option.
How Do Domain Keys Work?
In simple terms, the domain owner generates a public and private key for signing all outgoing emails.
The public key is then published to DNS as a TXT record under <selector>._domainkey.domainname.com. You can name the selector anything you want. We called ours "secure"
In our record above you can see our public key which starts with "p=". The "k=" refers to the encryption method.
Your DomainKey enabled email software uses the stored private key to generate a digitial signature that is embedded in the headers of your email.
The receiving email server, locates the digital signature, then looks up the public key in DNS, as shown in the image above, to verify the digital signature was generated
by the private key. If it matches, the email is then authenticated and as long as it doesn't trigger any other spam filter test it's delivered to the recipient's inbox.
What is a Domain Policy Record?
When you use DomainKeys you can publish policy statements in DNS that help email receivers understand how they should treat your email.
There are three main statements that can be published:
- "t=y" - Which means that your email DomainKeys are in test mode.
- "o=-" - All email from your domain is digitally signed.
- "o=~" - Some email from your domain is digitally signed.
- "n=*" - n stands for notes. Replace the * symbol, with any note you like
How Do I Set Mine Up?
Most modern email software have this functionality built in but you have to do the legwork to enable it and set it up in DNS as described above.
If your email software doesn't have this functionality it's time to look for a new one.
Some email software requires you to generate the RSA Keys seperately and add the private key to itself and the public key to your DNS records. In order to generate your DKIM Private/Public keys you can use our wizard here: DKIM Wizard
Once everything is set up, you can send an email to "firstname.lastname@example.org"
and it will return the results letting you know the status of SPF, Domain Keys, DKIM, Sender ID, and Spam Assassin checks.
If the results say PASS for the first four categories you're on your way to Unlocking The Inbox.
How Do I Look Up My Domain Key Records?
You can verify the existance of your records by using our lookup tool. You must type in the full hostname in order to retrieve the TXT records you are looking for just like what is shown in the images above. To access our tool click here: Unlock The Inbox TXT Record Lookup Tool