• Contact Us
  • Pricing
  • Search
  • Register
  • Login
  • DNS Tools
    • MX Records
    • A Records
    • CNAME Record
    • PTR Record
    • SPF/TXT Records
    • NS Records
  • Domain Tools
    • ARIN Records
    • WHOIS Records
  • Blacklists
    • Blacklist Checker
    • Whitelist Checker
    • Email Blacklist Removal Tool
  • Email Tools
  • Port Scans
  • Other Tools
    • IP Tools
      • IP Address Converter
      • IP Address Locator
      • IP Range To CIDR
    • Chrome Extension - Email Deliverability Checker
  • Blog
    • First Time Sender
      • Email Certification
      • Email Throttling
      • IP Warming
    • Formatting Emails
      • For Browsers
      • For Devices
      • For Email Clients
    • How To Avoid
    • How To Set Up
    • Mail Tester Guide
      • Email Headers Explained
      • MX Records, PTR Records, and Reverse PTR Records AKA rDNS
      • RFC Syntax Checking
      • Email Port Checks
      • SPF Record and Alignment
      • DKIM Signatures and Alignment
      • DMARC Checker
      • Mail Tester Test Tool
    • Measuring Peformance
      • Bounces
      • Clickthrough Rates
      • Open Rates
    • Related Resources
      • Abuse Contacts
      • Common Ports
      • DMARC and the Contact Us Form
      • Email Identifier
      • Email Headers
      • Email Statistics
      • How Email Works
      • How to Treat Spammers
      • Securing Your Server
    • Rules to Follow
      • Can Spam Act
      • Postmaster Guidelines
  • Member Services
    • Members Area
    • Blacklist Monitoring
    • Complete Monitoring Solution
    • Domain Name Monitoring
    • Feedback Loop Submissions
    • Full Port Scan Monitoring
    • Mail Tester Pro Tool
    • Mail Miner
    • Spam Detector Toolbox
    • Trusted Sender Site Seal


DomainKeys is an email authentication protocol developed by Yahoo in attempts to stop the abuse of identity by spammers and phishers.

Published Standard: RFC 4870

This standard is was superseded by DKIM - RFC 4871 - Eventhough this standard is superseded many mail servers (old and new) still use this standard and it should still be implemented, if you have the option.

How do DomainKeys work?

In simple terms, the domain owner generates a public and private key for signing all outgoing emails. The public key is then published to DNS as a TXT record under <selector>._domainkey.domainname.com. You can name the selector anything you want. We called ours "secure".


In our record above you can see our public key which starts with "p=". The "k=" refers to the encryption method. Your DomainKey enabled email software uses the stored private key to generate a digitial signature that is embedded in the headers of your email.

The receiving email server, locates the digital signature, then looks up the public key in DNS, as shown in the image above, to verify the digital signature was generated by the private key. If it matches, the email is then authenticated and as long as it doesn’t trigger any other spam filter test, it’s delivered to the recipient's inbox.

What is a DomainKeys Policy Record?

When you use DomainKeys you can publish policy statements in DNS that help email receivers understand how they should treat your email. There are three main statements that can be published:
  • "t=y" - Which means that your email DomainKeys are in test mode.
  • "o=-" - All email from your domain is digitally signed.
  • "o=~" - Some email from your domain is digitally signed.
  • "n=*" - n stands for notes. Replace the * symbol, with any note you like
Policy Domain Key

DomainKeys, How do I set mine up?

Most modern email software have this functionality built in but you have to do the legwork to enable it and set it up in DNS as described above. If your email software doesn’t have this functionality, it’s time to look for a new one.

Some email software requires you to generate the RSA Keys seperately and add the private key to itself and the public key to your DNS records. In order to generate your DKIM Private/Public keys you can use our wizard here: DKIM Wizard

Once everything is set up, you can send an email to "mailtest@unlocktheinbox.com" and it will return the results letting you know the status of SPF, Domain Keys, DKIM, Sender ID, and Spam Assassin checks. If the results say PASS for the first four categories you're on your way to Unlocking The Inbox.

How do I look up my domainkeys records?

You can verify the existence of your records by using our lookup tool. You must type in the full hostname in order to retrieve the TXT records you are looking for just like what is shown in the images above. To access our tool click here: Unlock The Inbox TXT Record Lookup Tool

Source: Unlock The Inbox
Copyright © 2020 Unlock The Inbox
Privacy Policy and Terms and Conditions