DKIM using CNAME records
Question asked by Jose Gomez - 1/11/2024 at 4:16 PM
Hey, everyone. I've seen several providers using CNAME records to configure DKIM with. Does anyone know how this can be done using SmarterMail? Thanks in advance.

6 Replies

Reply to Thread
Normally a DKIM is a TXT record??
Jose Gomez Replied
I'm aware of that. But I have clients who are using other email service providers and those providers are providing CNAME records that reference some sort of pre-created DKIM record on a different domain name. Here's what the provider who owns ccsend.com sent to my client:

Copy this information below and paste it into your hosting provider's DNS settings for your website.
CNAME 1 Record Name: ctct1._domainkey.<clientdomainhidden>.com
CNAME 2 Record Name: ctct2._domainkey.<clientdomainhidden>.com
CNAME 1 Value: 100._domainkey.dkim1.ccsend.com
CNAME 2 Value: 200._domainkey.dkim2.ccsend.com
If you do not already have a DMARC policy, please add the following TXT record to your domain name settings (DNS).
TXT record host name: _dmarc.<clientdomainhidden>.com
TXT record value: v=DMARC1; p=none;
Nathan Replied
If you are managing DKIM for customer domains where you do not control DNS I would suggest using CNAMEs as it decouples you from the third-party DNS in terms of rolling over keys. The CNAME should resolve to a TXT record in a domain you control to ease management.
Jose Gomez Replied
How would that then be entered into that customer's SmarterMail settings for their domain?
Nathan Replied
Unfortunately SM automagically generates the selector name so you need to attempt to enable in the domain configuration first. In a quick test it wanted to create "8DC138701E37FDF._domainKey.customerdomain.com" with the appropriate "v=DKIM1..." entry as a TXT record.

Using this example, get the client to create CNAME:

Record Name: 8DC138701E37FDF._domainKey.customerdomain.com.
Record Type: CNAME
Record Value: 8DC138701E37FDF._domainKey.isp-domain.com.

Then you create:

Record Name: 8DC138701E37FDF._domainKey.isp-domain.com.
Record Type: TXT
Record Value: "v=DKIM1; k=rsa; h=sha256; p=<<key-removed>>"

This way you could rollover the key if needed without the client updating DNS. 
Ron Raley Replied
This is a cleaner method, indeed. I'm seeing more tech companies doing it this way.

Reply to Thread