My webserver is hosted on Amazon EC2, on free tier, on say example.com. As i'm only using a single elastic ip address, and i don't want to pay for another, i thought about setting up postfix on my webserver rather then setting it up on mail.example.com (which is probably a better idea).
Most documents talk about adding these records to a subdomain, but can i put it on my main domain as well (i.e. example.com). I currently set my SPF as a TXT on my main domain and it passes SPF checks. Can i do the same for DKIM?
I just generated a key on https://www.unlocktheinbox.com/dkimwizard/ and it shows the private and public key, and below selector record and policy record.
While i understand where i need to put my private (postfix) and public key (in the dns txt/mx record) but not sure where i should add my 2 generated records (selector and policy). Can i add them both as TXT records under my main domain rather then having to create a subdomain (i.e. mail.example.com) ?
Your Selector Record:
rsa._domainkey.example.com IN TXT
"k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfOc9CYLS2I2/mSaDbRoZyJzlHYrS5aSjU3U94FKDmGUkG7HqLUFWRx6TkZVQ5JpKoyTA25PUpBnzdu11945B66EbrZGAYb3YE7kCJ1BSNjaXajd4fzkFfYV06riJgWC83wBc9hoIoDzAZDNFV/HKstjy8Zd2H81HnvpVGnuKeAQsKIdIyazYwv85kHwh8tRm0si4I251VJ9dHByoMu+/e/s8ppBhvaH0Ss1YZr5B7q8PVeoy6V+l9JMPkKt+wsELTBBKVk7LLYdiis3bHXaYL0cfjPerqfwkyX2Hq2xdSUZ90zw7W6pvsoFDVe/1H45ZbqkLJ8klz8YLzwPAJj13wIDAQAB"
Your Policy Record:
_domainkey.example.com IN TXT "o=~"
Thank you.
Best Answer
No, you can't. You must have exactly as said in all the documentation and tutorials, i.e.
Here, the
_domainkey
comes from DKIM specification (RFC 6376, 7.5) andselectorname
is the selector (3.1) for identifying multiple signing keys from each other. While the selector is user-defined and could be anything, it must be the same than used in thes=
tag in the signature:This will cause searching for the public key from DKIM Namespace (3.6.2.1), which is a subdomain.
This is just defined this way and it just differs from the SPF records that are defined (RFC 7208, 3) to be placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name.
The
_domainkey.example.com. IN TXT "o=~"
was originally designed for providing information on signing policy in DKIM Sender Signing Policy Internet-Draft, whereo=~
would specify that the entity signs some but not all mail, while-
and!
would be more strict and.
for not sending mail at all.This was never actually used, so you don't need
_domainkey.example.com IN TXT "o=~"
at all.For the real-life substitute of
o=
you should orientate towards DMARC. Without DMARC it's not possible to tell whether a domain uses DKIM or not; you could only check if DKIM passes whenever it is present, but it doesn't cover messages without the signature header.When implementing DMARC you should already have both SPF and DKIM working.