DKIM/DMARC Quick Start
Public/Private Key-pair Generation

download TLS/SSL Toolkit

extract OpenSSL.exe into a direcory of your choice

in a DOS box type

openssl genrsa -out dkim-private.pem 1024
openssl genrsa 
-out dkim-private.pem 1024
-outform PEM

and then

openssl rsa -in dkim-private.pem -out dkim-public.pem -pubout -outform PEM
openssl rsa 
-in dkim-private.pem
-out dkim-public.pem
-pubout -outform PEM

This results in two files, dkim-private.pem which is the private key and looks like this:

-----BEGIN RSA PRIVATE KEY-----
MIIByQIBAAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5
ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIo
AUsFUq+J6+OprwIDAQABAmBOX0UaLdWWusYzNol++nNZ0RLAtr1/LKMX3tk1MkLH
+Ug13EzB2RZjjDOWlUOY98yxW9/hX05Uc9V5MPo+q2Lzg8wBtyRLqlORd7pfxYCn
Kapi2RPMcR1CxEJdXOkLCFECMQDTO0fzuShRvL8q0m5sitIHlLA/L+0+r9KaSRM/
3WQrmUpV+fAC3C31XGjhHv2EuAkCMQDE5U2nP2ZWVlSbxOKBqX724amoL7rrkUew
ti9TEjfaBndGKF2yYF7/+g53ZowRkfcCME/xOJr58VN17pejSl1T8Icj88wGNHCs
FDWGAH4EKNwDSMnfLMG4WMBqd9rzYpkvGQIwLhAHDq2CX4hq2tZAt1zT2yYH7tTb
weiHAQxeHe0RK+x/UuZ2pRhuoSv63mwbMLEZAjAP2vy6Yn+f9SKw2mKuj1zLjEhG
6ppw+nKD50ncnPoP322UMxVNG4Eah0GYJ4DLP0U=
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PRIVATE KEY-----
MIIByQIBAA ... ZwP56LRqdg5
ZX15bhc/Gs ... T1kwTvFNGIo
AUsFUq+J6+ ... KMX3tk1MkLH
+Ug13EzB2R ... lORd7pfxYCn
Kapi2RPMcR ... +0+r9KaSRM/
3WQrmUpV+f ... amoL7rrkUew
ti9TEjfaBn ... Icj88wGNHCs
FDWGAH4EKN ... 1zT2yYH7tTb
weiHAQxeHe ... mKuj1zLjEhG
6ppw+nKD50 ... 0GYJ4DLP0U=
END RSA PRIVATE KEY-----

and dkim-public.pem, which is the public key and looks like this:

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----

-----BEGIN PUBLIC KEY-----
MHwwDQYJKo ... 3LRGKOD5o6l
MIgulclWjZ ... a+GzzL47t7E
XzVc+nRLWT ... +OprwIDAQAB
-----END PUBLIC KEY-----

Copy dkim-private.pem to CERT\PRIV directory

Define a selector for your DomainKey, in this sample we use mail

Copy the data of the public key file a TXT record for your domain:

mail._domainkey IN TXT "v=DKIM1;k=rsa;
p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB;"

mail._domainkey IN TXT "v=DKIM1;k=rsa;
p=MHwwDQYJ ... Xn3LRGKOD5o6l
MIgulclWjZ ... a+GzzL47t7E
XzVc+nRLWT ... QAB;"

DKIM (DomainKeys Identified Mail) Signing

select Options->DKIM->Sign and create a new record

Set the fields as follows:

For messages from e-mail address: *@yourdomain.com
to e-mail address: *
use this certificate (file in PEM format): dkim-private.pem

Thereafter the program will sign all messages from your domain to everyone using the private key in the dkim-private.pem certificate.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Create a TXT record for your domain:

_dmarc in txt "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"

DMARC defines the policy that the receiving MTA should apply to your messages when SPF and DKIM verification fails.

Note: If you do not set a policy, some MTAs, namely Gmail and O365, will apply a strict policy.

©1991-2024 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
support@dataenter.co.at
2024-01-18 / Phone
2024-01-18 / Tablet
Changed: 2024-01-18
Server
Desktop
Copyright ©1991-2024 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 4120051
support@dataenter.co.at