Using DomainKeys and DKIM Selector


What is DomainKeys/DKIM Selector

To support multiple concurrent public keys per sending domain, the DNS namespace is further subdivided with "selectors". Selectors are arbitrary names below the "_domainkey." namespace. For example, selectors may indicate the names of your server locations (e.g., "mta1", "mta2", and "mta2"), the signing date (e.g., "january2005", "february2005", etc.), or even the individual user.

The most important thing is: selector indicates your DomainKeys/DKIM public key location. For example: if your domain selector is: "s1024", your public key record will be "s1024._domainkey.yourdomain"; if your domain selector is: "mta1", your public key record will be "mta1._domainkey.yourdomain".

DKIM Selector

Selector Usage

If you have only one server and you only set the DKIM/DomainKeys on this server, you can give your selector any name. For example: your domain name is: "emailarchitect.net" and your selector is: "s1024", you should deploy your public key to "s1024._domainkey.emailarchitect.net". After the receiver received your email, the receiver can query the public key from "s1024._domainkey.emailarchitect.net" to verify your DomainKeys/DKIM signature. If you have only one server, you can skip the following sections and go to Sender Rule section directly.


Using a single selector with the same domain on multiple servers

single DKIM selector on multiple servers

If all of your servers are running with EA DomainKeys, you should deploy the DKIM as follows:

Now, all of your servers have the same configuration (private/public key pair) for your domain.

Since you use the same configuration file ([domain].json) for the same domain on multiple servers, after you deployed the public key to "selector._domainkey.yourdomain", every email from your servers can be verified by the public key.


Using multiple selectors with the same domain on multiple servers

multiple DKIM selectors on multiple servers

If you don't want to copy the configuration files to all servers or you have another server signing the DomainKeys/DKIM with the key pair/private key not supported by EA DomainKeys, you can use different selector for different server.

For example, there have two server named “server1” and “server2”. On the first server (server1), " svr1" is used as the selector. On the second serve (server2), "svr2" is used as the selector. The two servers use different key pairs (private key).

This is how “selector” provide a solution for using different key-pair/certificates with the same domain on multiple servers.

This solution doesn't require you to copy the certificate to all servers, nor it require all of your servers to run EA DomainKeys. You just need to create different selector for different servers, and deploy multiple public key based on selector.

Import/Export Private Key in Pkcs8 format

Most DKIM signers use plain text private key in PKCS8 format. To synchronize the private key in different software/signer, you can import or export pkcs8 private key in DKIM manager -> your domain - > Private Key Management.

See Also

Deploy Public Key in DNS server
Test DomainKeys/DKIM Signature
Using Sender Rule
Server Core and Installer Command Arguments
Appendix - Set up SPF record in DNS server
Appendix - Set up DMARC record
Appendix - DKIM/SPF/DMARC Inbound Authentication in Exchange Server
Appendix - Use DkimPowerShell Module in PowerShell

Online

DKIM in IIS SMTP Service - Tutorial
DKIM in Exchange Server 2003 - Tutorial
DKIM in Exchange Server 2007/2010/2013/2016/2019 - Tutorial

DKIM/SPF/DMARC Inbound Authentication in Exchange Server
Bulk Email Sender Guidelines