Signing outgoing mail with DKIM

DKIM, also known as DomainKeys Identified Mail, is a form of email authentication that digitally signs emails to prove that they were sent from authorized domains and aren't fake emails. Companies like Google and Yahoo use DKIM to sign their emails and it is becoming ever more popular.

VPOP3 v6.15 and later support DKIM encryption.

To be able to do this yourself, you need to have access to the DNS server for your domain. This might be your own DNS server, or one provided by your domain registry.

Now you need to generate a public key / private key pair to sign & verify your messages. There is a DKIM generator on our website at https://www.pscs.co.uk/tools/dkim. For the selector name use one or more valid DNS name parts. You should not re-use selector names. For simplicity, we suggest using 's1' the first time you generate a certificate, then 's2' the second time, and so on.

On the DNS server, create a new TXT record, with a host name of the <selector>._domainkey.<domain name> - for instance s1._domainkey.example.com. Copy the public key from the key generator, and paste it into the TXT record's data. Apply the changes on the DNS server.

Now you need to sort out the private key. Copy the private key (including the BEGIN/END lines) and paste it into a text editor, like notepad. This document needs to be saved into the VPOP3 directory, as a file called domainkey_<domain name>_<selector>.key (e.g. domainkey_example.com_s1.key).

Now go onto VPOP3 and click the Services tab, and SMTP Server, then click the spam reduction tab. Once there, change the DKIM Signing box to All Local Senders, and add the selector to the DKIM Selector box. Then click Submit.

Now, when you send a message through your VPOP3 server from the appropriate domain, VPOP3 will generate a DKIM signature for the message.

Multiple domains

If you can send mail from several different domains, just have several different domainkey_…..key files in the VPOP3 directory and VPOP3 will choose between them as appropriate. If there isn't a domainkey_…..key file for a particular sender, then VPOP3 will not generate a DKIM signature for that message.

Note that the selector must be the same for all domains, so rename the .key files and DNS hostnames as appropriate. The selector can be any text that is a valid DNS host name, so it can be random text, or something simple like 's1' or whatever you prefer. You should not reuse selector names as that can cause confusion if a signing certificate changes but the selector is the same.