I need to setup DKIM to validate an email provider we are using. In the provider's documentation, they require us to add two records, a selector record and a policy record, like this:
selector._domainkey.mydomain.com TXT "k=rsa; p=mykeyhere"
_domainkey.mydomain.com TXT "t=y; o=~"
I'm concerned about adding this new policy, because we have quite a few DKIM selectors setup in our DNS zone already, with no existing policy record (we use multiple third party providers that need to send email on our behalf). I want to make sure I don't break existing functionality by creating this record. From what I've read, you can only have a single policy per zone, so it is "shared", so to speak.
I've researched this a bit, and the policy the vendor is requiring, t=y; o=~, should be pretty harmless. It seems to say some emails may be signed, and to treat verified/unverified emails in the same way (reference).
Still, this would impact our production application, and I'm hoping to get some confidence that this is safe to add. Am I correct in my assumption that I can add this record without causing a bunch of our outbound email to be marked as spam? Or am I missing something?
Best Answer
The policy record is part of the Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) that was proposed but immediately obsolete on publication of RFC 4870 by RFC 4871, DomainKeys Identified Mail (DKIM) Signatures, both of which were published in May, 2007.
The newer DKIM standard does not use the policy records that were a part of the obsolete DomainKeys standard.
Creating the DomainKeys policy record is not expected to cause any issues with any DKIM records for either sending or receiving servers.