Can i add a DKIM and SPF record on the main domain

dkimspf

My webserver is hosted on Amazon EC2, on free tier, on say example.com. As i'm only using a single elastic ip address, and i don't want to pay for another, i thought about setting up postfix on my webserver rather then setting it up on mail.example.com (which is probably a better idea).

Most documents talk about adding these records to a subdomain, but can i put it on my main domain as well (i.e. example.com). I currently set my SPF as a TXT on my main domain and it passes SPF checks. Can i do the same for DKIM?

I just generated a key on https://www.unlocktheinbox.com/dkimwizard/ and it shows the private and public key, and below selector record and policy record.

While i understand where i need to put my private (postfix) and public key (in the dns txt/mx record) but not sure where i should add my 2 generated records (selector and policy). Can i add them both as TXT records under my main domain rather then having to create a subdomain (i.e. mail.example.com) ?

Your Selector Record:

rsa._domainkey.example.com IN TXT

"k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfOc9CYLS2I2/mSaDbRoZyJzlHYrS5aSjU3U94FKDmGUkG7HqLUFWRx6TkZVQ5JpKoyTA25PUpBnzdu11945B66EbrZGAYb3YE7kCJ1BSNjaXajd4fzkFfYV06riJgWC83wBc9hoIoDzAZDNFV/HKstjy8Zd2H81HnvpVGnuKeAQsKIdIyazYwv85kHwh8tRm0si4I251VJ9dHByoMu+/e/s8ppBhvaH0Ss1YZr5B7q8PVeoy6V+l9JMPkKt+wsELTBBKVk7LLYdiis3bHXaYL0cfjPerqfwkyX2Hq2xdSUZ90zw7W6pvsoFDVe/1H45ZbqkLJ8klz8YLzwPAJj13wIDAQAB"

Your Policy Record:

_domainkey.example.com IN TXT "o=~"

Thank you.

Best Answer

No, you can't. You must have exactly as said in all the documentation and tutorials, i.e.

selectorname._domainkey.example.com. IN TXT "k=ra;P=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB...

Here, the _domainkey comes from DKIM specification (RFC 6376, 7.5) and selectorname is the selector (3.1) for identifying multiple signing keys from each other. While the selector is user-defined and could be anything, it must be the same than used in the s= tag in the signature:

DKIM-Signature a=rsa-sha1; q=dns; d=example.com; i=user@example.com; s=selectorname; ...

This will cause searching for the public key from DKIM Namespace (3.6.2.1), which is a subdomain.

All DKIM keys are stored in a subdomain named _domainkey. Given a DKIM-Signature field with a d= tag of example.com and an s= tag of foo.bar, the DNS query will be for foo.bar._domainkey.example.com.

This is just defined this way and it just differs from the SPF records that are defined (RFC 7208, 3) to be placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name.

The _domainkey.example.com. IN TXT "o=~" was originally designed for providing information on signing policy in DKIM Sender Signing Policy Internet-Draft, where o=~ would specify that the entity signs some but not all mail, while - and ! would be more strict and . for not sending mail at all.

This was never actually used, so you don't need _domainkey.example.com IN TXT "o=~" at all.

For the real-life substitute of o= you should orientate towards DMARC. Without DMARC it's not possible to tell whether a domain uses DKIM or not; you could only check if DKIM passes whenever it is present, but it doesn't cover messages without the signature header.

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.

When implementing DMARC you should already have both SPF and DKIM working.

Best Answer

Related Solutions

DNS SPF Records – Do SPF Records for Primary Domain Apply to Subdomains?

DKIM and SPF Setup for a Subdomain

Related Topic