DKIM

Using DomainKeys Identified Mail (DKIM) on Dreamhost

Background Information
DKIM is a way of 'signing' emails to prove they came from you. It is a form of email authentication that works via a digital signature and makes it easier to identify spoofed e-mails. The sending mail server signs the email with the private key, and the receiving mail server uses the public key in the domain's DNS information to verify the signature. One domain can have many DKIM keys publicly listed in DNS, but each matching private key is only on one mail server.

Automatic DKIM
Your emails may already be using DKIM! If you're using regular DreamHost-hosted mail service all the pieces used by DKIM may already be in place. DreamHost automatically makes the DKIM DNS record for all domains and subdomains that use DreamHost email. You can see it in the panel's Manage Domains page, click the DNS link; the DreamHost mail server DKIM records will look like these, both identifiable by _domainkey in the record and type TXT.

When you send emails through the mail server, they will be automatically signed. No switch to flip or special command needed! Most emails are sent through the mail server; webmail, mail client programs, anything that uses SMTP to send emails sends them through the mail server.

Remember that DKIM signing can only be done by the mail server. If your website sends emails and doesn't use DKIM, those emails won't be DKIM signed.

DKIM with a bit of work
If you're using DreamHost-hosted mail service, but not DreamHost's nameservers, you'll need to take the DKIM DNS records from the panel and enter them into the system where your domain's DNS is actually managed.

If you're using another mail provider for your domain's mail service, that mail provider may offer DKIM signing. If you send emails sometimes through other mail servers, like a mass-mailing service, those servers may provide DKIM signing too.

This list has links to DKIM information from various mail providers that other folks have used:
 * Campaign Monitor
 * Constant Contact
 * Google Apps

Multiple DKIM? Yes!
A domain can have many DKIM public keys as servers that send and sign mail.

There are two types of DKIM DNS records. The policy record contains information about the DKIM signing policy and the email address of the postmaster, and there should only ever be one of these.

The DKIM DNS records with the long string of gibberish that is the public signing key, a domain can have many of these as it has servers with private keys that sign emails. Each of these should have a selector that uniquely identifies it. If there is just one, it may have no selector at all just "_domainkey". Additional ones would use selectors to keep them all separated, for example "list._domainkey" and "bananas._domainkey".

Selectors are how receiving servers know which public key to use for an email, which corresponding private key was used to sign the email. More information about selectors and DKIM DNS records at these links:
 * http://dkimcore.org/specification.html
 * http://support.simpledns.com/KB/a62/configuring-dns-records-for-domainkeys-dkim.aspx
 * https://www.xpertdns.com/billing/knowledgebase/1/DomainKeys-or-DKIM.html

Using DKIM with sendmail and PHP Mail
Automatic DreamHost DKIM settings are not enabled if you're using sendmail or PHP Mail to send emails. This means that if you use a WordPress newsletter plugin that sends emails via sendmail of PHP Mail, you have two options for using DKIM for those emails:
 * Configure WordPress to use SMTP when sending out emails. Some newsletter and contact form plugins have SMTP built-in, or there are plugins that add SMTP support to WordPress.
 * Manually install and configure DKIM. The proposed solution is to use opendkim.org. While you can install it yourself on your VPS, DreamHost will not provide any support regarding manually-installed DKIM software.

History of DKIM at DreamHost
Until October 2008, DreamHost didn’t support DKIM at all! However, in the October 2008 newsletter, it was announced that DKIM keys and associated DNS records would be created for everyone. The newsletter said this DKIM implementation did not affect incoming mail. Starting in February 2011 DreamHost started domainkey/dkim signing for all outgoing mail, Enjoy.