Have DKIM public key but DNS provider is saying I also need the the full DNS record

Emily Hutchison

I'm at a bit of a standoff between Blackbaud and my DNS provider. I'm trying to get my Email Marketing product to work, (I'm using it through RE NXT).  We've addressed the SPF and IP ranges issues.  now we are on the the DKIM issue.


Blackbaud has provided us with a DKIM public key, but the DNS provider is saying that in order to publish the DKIM key in the DNS, they also need the "domain" part of the TXT record.  They said it should look something like:  mail._domainkey IN TXT "v=DKIM1; k=rsa; p=<gibberish public key>"   Blackbaud is saying they don't provide that, the DNS provider needs to write it.  The DNS provider is saying they can't possibly write it because they would have no way of knowing the selector Blackbaud uses, i.e. the "domain" part of the TXT record. 


I am NOT a tech person.  I'm passing along this question from my IT department hoping that the forum can shed some light on this so we can move forward!

John Alan

This is a great question and apologies for the late response!  


When my team creates the DKIM keyset we provide via our Support counterparts some canned instructions for you.  You can expect these with every DKIM-signing request.  They point out what the public key file is (a Linux text file) and what it isn't (a MS Publisher file.)  We also include what the selector will be.

For the record, our default selector is 'sm' and any site that isn't using that will be asked in the coming months to update to it for future-proofing.  Feel free to reach out via Support ticket to get ahead of that ask if you're one of those sites!


The typical records for adding DKIM to a DNS record would look something like this:

 

sm._domainkey.<yoursendingdomainhere>  in the HOST field of this example
v=DKIM1; k=rsa; p=<gibberishpublickey>  in the TXT VALUE field of this example

UNFORTUNATELY - and this is why we don't provide the type of file your DNS provider is asking about - there are many, many DNS providers and not all of them follow the same standard for DKIM configuration.  Some present the fields slightly different in their templates, some refer to HOST vs SELECTOR, etc.  Some go even further and require different ways of inputting the same information.


Specifically, we've seen some DNS providers automatically append your domain name to the HOST/SELECTOR entry resulting in the entry looking like this: 

 

sm._domainkey  in the HOST field of this example (notice the missing info from the previous example)
v=DKIM1; k=rsa; p=<gibberishpublickey>  in the TXT VALUE field of this example

A couple/few ProTip hints for publishing your DKIM key:

• Watch that there are no spaces in the TXT Value (key) part.  Spaces are characters and the generated keys will never have that character in them.
• Watch that the version tag (v=DKIM1;) is exactly that - it's case-sensitive and v=dkim1 does not equal v=DKIM1  (Ask me sometime how I know... funny-ish story...)
• The selector is not case-sensitive but why mess with the Email Gods.  Use 'sm', lower-case.
• If you have future plans to implement a DMARC policy you must have "custom" DKIM with us (that is, your sending domain being signed - not ours which we do by default.)

Hope this helps!  (And if you do get stuck, reach back out via your open DKIM Support ticket and ask.  Whilst my team doesn't know ALL of the DNS providers, we know of a few and may be able to guide you in.)


Btw, the Email Resource Center is a great source of info about our email systems, best practices, etc.  

Emily Hutchison

Thank you so much for this response!  I will share it with my IT guy, and the DNS guy, and if they have any further questions, I'll reach back out to you.  Thank you!!

Andrew Martin 2

Where you successful with you configuration of the DKIM public key that Blackbaud provided you?  I'm in the process of setting a email product and feedback would be helpful.  thanks!