I need to setup DKIM to validate an email provider we are using. In the provider's documentation, they require us to add two records, a selector record and a policy record, like this:
selector._domainkey.mydomain.com TXT "k=rsa; p=mykeyhere"
_domainkey.mydomain.com TXT "t=y; o=~"
I'm concerned about adding this new policy, because we have quite a few DKIM selectors setup in our DNS zone already, with no existing policy record (we use multiple third party providers that need to send email on our behalf). I want to make sure I don't break existing functionality by creating this record. From what I've read, you can only have a single policy per zone, so it is "shared", so to speak.
I've researched this a bit, and the policy the vendor is requiring,
t=y; o=~, should be pretty harmless. It seems to say some emails may be signed, and to treat verified/unverified emails in the same way (reference).
Still, this would impact our production application, and I'm hoping to get some confidence that this is safe to add. Am I correct in my assumption that I can add this record without causing a bunch of our outbound email to be marked as spam? Or am I missing something?