DKIM: Can I safely add a DomainKey policy record without breaking existing email?

jp flag

I need to setup DKIM to validate an email provider we are using. In the provider's documentation, they require us to add two records, a selector record and a policy record, like this: TXT "k=rsa; p=mykeyhere"  TXT "t=y; o=~"

I'm concerned about adding this new policy, because we have quite a few DKIM selectors setup in our DNS zone already, with no existing policy record (we use multiple third party providers that need to send email on our behalf). I want to make sure I don't break existing functionality by creating this record. From what I've read, you can only have a single policy per zone, so it is "shared", so to speak.

I've researched this a bit, and the policy the vendor is requiring, t=y; o=~, should be pretty harmless. It seems to say some emails may be signed, and to treat verified/unverified emails in the same way (reference).

Still, this would impact our production application, and I'm hoping to get some confidence that this is safe to add. Am I correct in my assumption that I can add this record without causing a bunch of our outbound email to be marked as spam? Or am I missing something?

dominix avatar
gf flag
Do you have DMARC record on your domain name ? (if yes how does it look like ?)
jp flag
@dominix yes, it looks like `v=DMARC1; p=none; rua=mailto:[email protected]`
us flag
Note that ‘policy records’ are not part of DKIM, but of the long obsolete DomainKeys RFC. If someone requires you to set up a policy record now, that seems a decade out of date.
gf flag

DKIM is a signature tool. it is a post verification tool in the sense you can not guess the selector key before you receive a message.There is a convention to name your selector "selector1" but it is just an easy name, because there is no mandatory form for the name of your selector. So you can publish as many DKIM Selectors in your DNS record, only those used in sent message will be checked (eventually) once these messages are received. And hopefully they will be verified successfully if your DNS publication is correlated to these keys. But publishing DKIM selector keys do not force you to use them per se.

The only case where DKIM will lead to delivery failure is in conjunction with DMARC, only if DMARC require that there is a DKIM Signature aligned with your domain and you fail to insert one in your sent message. Or you inserted one in your message but you forget to publish it in you DNS.

As your DMARC do not require alignment (policy=none) DKIM will not impact the delivery of your business at all.

BTW many messages have multiples DKIM signature in them, without delivery problems.

BTW(2) it would be a good idea to think about adding a DKIM signature to your legacy email servers so you can use DMARC to better protect your business from phishing, or from false allegation to click on a suspect links, but it is another topic.

cn flag

The policy record is part of the Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) that was proposed but immediately obsolete on publication of RFC 4870 by RFC 4871, DomainKeys Identified Mail (DKIM) Signatures, both of which were published in May, 2007.

The newer DKIM standard does not use the policy records that were a part of the obsolete DomainKeys standard.

Creating the DomainKeys policy record is not expected to cause any issues with any DKIM records for either sending or receiving servers.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.