Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Enable DKIM for Domino

Daniel Nashed  10 February 2024 19:23:27

Enable DKIM for Domino

- DKIM inbound is supported starting with Domino 12.0.1

- DKIM outbound is supported starting with Domino 12.0.2

Now the first providers raise the bar for sending mails.

This might not only be relevant for mass mail.

Here is a short write up enabling DKIM for RSA and Ed25519 keys.

-- Daniel

Inbound DKIM is just a setting in the configuration document.

Outgoing DKIM requires a signing key. RSA and Ed25519 are supported in parallel. Since not every server supports modern Ed25519 keys, it's a good idea to enable both key types.

For DKIM signing a RSA 1024 key should be sufficient.

There isn't a UI. For enabling DKIM output. This isn't complicated, but requires to set DNS TXT records.

Before you can start creating a key using the Domino server keymgmt commands, make sure you have setup a credential store.

The NEK key to encrypt the data in the credstore.nsf require a key.

Create credstore.nsf key and database

keymgmt create nek nashcom

keymgmt create credstore nashcom

Create signing keys

keymgmt create DKIM ed20240210 ed25519

keymgmt create DKIM rsa20240210 rsa 1024

Export keys

Next export the public key info into a text file.

keymgmt export DKIM DNS ed20240210 nashcom_de_ed20240210.txt

keymgmt export DKIM DNS rsa20240210 nashcom_de_rsa20240210.txt

Create DNS text records

The text files contain the DNS TXT record, which you use to create a DNS TXT record.

The name of the DNX TXT record is the selector puls "._domainkey." followed by the domain like shown in the following examples.

host -t txt

v=DKIM1; k=ed25519; p=eJoyGyVtGTJOgdmqOvomT+cktetdLShd3ZmoG0oU/2g=;

host -t txt

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs/Fs2ZrnS+i247pZgJszL9epUbapmZ4z3QEcLVoGNkPs6Ci8/XKqL5u0mvOZa0RY2I8NOloN71fVZtulL664rTUNfFd4p0PfwDGVLDKoDaZt5c/fE0Wu8uRbp77yAMpewqj9XrgJ5zERa8vi+QKHrF3ccugEVAd3Ofq5kaUGXiwIDAQAB;

You have to make sure the DNS records are in place and are populated.

This is also important when you update your DKIM keys.

The selector is used when signing the outgoing mail.

The receiving server will use the selector to lookup the public key.

Therefore the new signing key must be already in place and the oder is always to create new keys first and wait until they are propagated in DNS.

Enable DKIM outbout

Once DNS TXT records in place, enable or update your configuration.

One ore more active selectors are configured via notes.ini

set config,rsa20240210

In the next step enable DKIM signing

set config RouterDKIMSigning=1

And finally restart the router task to enable DKIM outbound signing

restart task router

Verify DKIM outbound

Before enabling DKIM, there are a couple of tools you could use to verify your DNS TXT entries are OK.

One of the tools to check your configuration is

A final test is to send a mail to another mail server with inbound DKIM enabled.

Here is the authentication-results header for a mail received:

Authentication-Results: 1;

spf=pass (sender IP;

dkim=pass header.s=ed20240210;

dkim=pass header.s=rsa20240210

Finally here is a screen print of the keys in credstore.nsf

Image:Enable DKIM  for Domino

1Thorsten Ebers  11.02.2024 19:59:38  Enable DKIM for Domino

Hi Daniel, why export the private key ? is it not the public key ?

br Thorsten

2Daniel Nashed  12.02.2024 9:11:40  Enable DKIM for Domino

@Thorsten, ooops good catch. Written too fast ..

Of course this is the public key info.. Thanks! Corrected



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]