DKIM/DMARC Quick Start
Public/Private Key-pair Generation (RSA)

download TLS/SSL Toolkit

extract OpenSSL.exe into a direcory of your choice

in a DOS box type

openssl genrsa -out dkim-rsa-private.pem 1024
openssl genrsa 
-out dkim-rsa-private.pem 1024
-outform PEM

and then

openssl rsa -in dkim-rsa-private.pem -out dkim-rsa-public.pem -pubout -outform PEM
openssl rsa 
-in dkim-rsa-private.pem
-out dkim-rsa-public.pem
-pubout -outform PEM

This results in two files, dkim-rsa-private.pem which is the private key and looks like this:

-----BEGIN RSA PRIVATE KEY-----
MIIByQIBAAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5
ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIo
AUsFUq+J6+OprwIDAQABAmBOX0UaLdWWusYzNol++nNZ0RLAtr1/LKMX3tk1MkLH
+Ug13EzB2RZjjDOWlUOY98yxW9/hX05Uc9V5MPo+q2Lzg8wBtyRLqlORd7pfxYCn
Kapi2RPMcR1CxEJdXOkLCFECMQDTO0fzuShRvL8q0m5sitIHlLA/L+0+r9KaSRM/
3WQrmUpV+fAC3C31XGjhHv2EuAkCMQDE5U2nP2ZWVlSbxOKBqX724amoL7rrkUew
ti9TEjfaBndGKF2yYF7/+g53ZowRkfcCME/xOJr58VN17pejSl1T8Icj88wGNHCs
FDWGAH4EKNwDSMnfLMG4WMBqd9rzYpkvGQIwLhAHDq2CX4hq2tZAt1zT2yYH7tTb
weiHAQxeHe0RK+x/UuZ2pRhuoSv63mwbMLEZAjAP2vy6Yn+f9SKw2mKuj1zLjEhG
6ppw+nKD50ncnPoP322UMxVNG4Eah0GYJ4DLP0U=
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PRIVATE KEY-----
MIIByQIBAA ... ZwP56LRqdg5
ZX15bhc/Gs ... T1kwTvFNGIo
AUsFUq+J6+ ... KMX3tk1MkLH
+Ug13EzB2R ... lORd7pfxYCn
Kapi2RPMcR ... +0+r9KaSRM/
3WQrmUpV+f ... amoL7rrkUew
ti9TEjfaBn ... Icj88wGNHCs
FDWGAH4EKN ... 1zT2yYH7tTb
weiHAQxeHe ... mKuj1zLjEhG
6ppw+nKD50 ... 0GYJ4DLP0U=
END RSA PRIVATE KEY-----

and dkim-rsa-public.pem, which is the public key and looks like this:

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----

-----BEGIN PUBLIC KEY-----
MHwwDQYJKo ... 3LRGKOD5o6l
MIgulclWjZ ... a+GzzL47t7E
XzVc+nRLWT ... +OprwIDAQAB
-----END PUBLIC KEY-----

Copy dkim-rsa-private.pem to CERT\PRIV directory

Define an unique selector for your DomainKey, in this sample we use 20150809rsa, which is the current date and the algorithm.

Copy the data of the public key file a TXT record for your domain:

20150809rsa._domainkey IN TXT "v=DKIM1;k=rsa;
p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB;"

20150809rsa._domainkey IN TXT "v=DKIM1;k=rsa;
p=MHwwDQYJ ... Xn3LRGKOD5o6l
MIgulclWjZ ... a+GzzL47t7E
XzVc+nRLWT ... QAB;"

Public/Private Key-pair Generation (Ed25519)

download TLS/SSL Toolkit

extract OpenSSL.exe into a direcory of your choice

in a DOS box type

openssl genpkey -algorithm ed25519 -outform PEM -out dkim-ed25519-private.pem 
openssl pkey -in dkim-ed25519-private.pem -pubout -out dkim-ed25519-public.pem
openssl asn1parse -in dkim-ed25519-public.pem -offset 12 -noout -out dkim-ed25519-public.asn1
openssl base64 -in dkim-ed25519-public.asn1 -out dkim-ed25519-public.txt
copy dkim-ed25519-private.pem + dkim-ed25519-public.pem dkim-ed25519-private.pem
openssl genpkey 
-algorithm ed25519
-outform PEM
-out dkim-ed25519-private.pem
openssl pkey
-in dkim-ed25519-private.pem
-pubout
-out dkim-ed25519-public.pem
openssl asn1parse
-in dkim-ed25519-public.pem
-offset 12
-noout
-out dkim-ed25519-public.asn1
openssl base64
-in dkim-ed25519-public.asn1
-out dkim-ed25519-public.txt
copy dkim-ed25519-private.pem +
dkim-ed25519-public.pem
dkim-ed25519-private.pem

This results in two files, dkim-ed25519-private.pem which is the combined private key und public key and looks like this:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIL2zDc8AYXxheWLz01yOuyrspFHI4OgTVibqzR8+Yhhi
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAm8JAa1/AWiCpJXCKx0ytRq4Hr4ZAynEwTX7tV0QH0Yw=
-----END PUBLIC KEY-----

-----BEGIN PRIVATE KEY-----
MC4CAQA ... +Yhhi
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MCowBQY ... QH0Yw=
-----END PUBLIC KEY-----

and dkim-ed25519-public.txt, which is the extracted public key and looks like this:

m8JAa1/AWiCpJXCKx0ytRq4Hr4ZAynEwTX7tV0QH0Yw=

m8JAa1/A ... V0QH0Yw=

Copy dkim-ed25519-private.pem to CERT\PRIV directory

Define an unique selector for your DomainKey, in this sample we use 20240919edc, which is the current date and the algorithm.

Copy the data of the public key file a TXT record for your domain:

20240919edc._domainkey IN TXT "v=DKIM1;k=ed25519;
p=m8JAa1/AWiCpJXCKx0ytRq4Hr4ZAynEwTX7tV0QH0Yw=;"

20240919edc._domainkey IN TXT "v=DKIM1;k=ed25519;
p=m8JAa1/A ... 0Yw=;"

DKIM (DomainKeys Identified Mail) Signing

select Options->DKIM->Sign and create a new record

Set the fields as follows:

For messages from e-mail address: *@yourdomain.com
to e-mail address: *
use this certificate (file in PEM format): dkim-rsa-private.pem

Thereafter the program will sign all messages from your domain to everyone using the private key in the dkim-rsa-private.pem certificate.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Create a TXT record for your domain:

_dmarc in txt "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"

DMARC defines the policy that the receiving MTA should apply to your messages when SPF and DKIM verification fails.

Note: If you do not set a policy, some MTAs, namely Gmail and O365, will apply a strict policy.

©1991-2025 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
support@dataenter.co.at
2024-09-19 / Phone
2024-09-19 / Tablet
Changed: 2024-09-19
Server
Desktop
Copyright ©1991-2025 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 4120051
support@dataenter.co.at