Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

Enable DKIM for Domino

Daniel Nashed – 10 February 2024 19:23:27

Enable DKIM for Domino

- DKIM inbound is supported starting with Domino 12.0.1

- DKIM outbound is supported starting with Domino 12.0.2

Now the first providers raise the bar for sending mails.

This might not only be relevant for mass mail.

Here is a short write up enabling DKIM for RSA and Ed25519 keys.

-- Daniel

Inbound DKIM is just a setting in the configuration document.

Outgoing DKIM requires a signing key. RSA and Ed25519 are supported in parallel. Since not every server supports modern Ed25519 keys, it's a good idea to enable both key types.

For DKIM signing a RSA 1024 key should be sufficient.

There isn't a UI. For enabling DKIM output. This isn't complicated, but requires to set DNS TXT records.

Before you can start creating a key using the Domino server keymgmt commands, make sure you have setup a credential store.

The NEK key to encrypt the data in the credstore.nsf require a key.

Create credstore.nsf key and database

keymgmt create nek nashcom

keymgmt create credstore nashcom

Create signing keys

keymgmt create DKIM ed20240210 ed25519

keymgmt create DKIM rsa20240210 rsa 1024

Export keys

Next export the public key info into a text file.

keymgmt export DKIM DNS ed20240210 nashcom_de_ed20240210.txt

keymgmt export DKIM DNS rsa20240210 nashcom_de_rsa20240210.txt

Create DNS text records

The text files contain the DNS TXT record, which you use to create a DNS TXT record.

The name of the DNX TXT record is the selector puls "._domainkey." followed by the domain like shown in the following examples.

host -t txt

v=DKIM1; k=ed25519; p=eJoyGyVtGTJOgdmqOvomT+cktetdLShd3ZmoG0oU/2g=;

host -t txt

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs/Fs2ZrnS+i247pZgJszL9epUbapmZ4z3QEcLVoGNkPs6Ci8/XKqL5u0mvOZa0RY2I8NOloN71fVZtulL664rTUNfFd4p0PfwDGVLDKoDaZt5c/fE0Wu8uRbp77yAMpewqj9XrgJ5zERa8vi+QKHrF3ccugEVAd3Ofq5kaUGXiwIDAQAB;

You have to make sure the DNS records are in place and are populated.

This is also important when you update your DKIM keys.

The selector is used when signing the outgoing mail.

The receiving server will use the selector to lookup the public key.

Therefore the new signing key must be already in place and the oder is always to create new keys first and wait until they are propagated in DNS.

Enable DKIM outbout

Once DNS TXT records in place, enable or update your configuration.

One ore more active selectors are configured via notes.ini

set config,rsa20240210

In the next step enable DKIM signing

set config RouterDKIMSigning=1

And finally restart the router task to enable DKIM outbound signing

restart task router

Verify DKIM outbound

Before enabling DKIM, there are a couple of tools you could use to verify your DNS TXT entries are OK.

One of the tools to check your configuration is

A final test is to send a mail to another mail server with inbound DKIM enabled.

Here is the authentication-results header for a mail received:

Authentication-Results: 1;

spf=pass (sender IP;

dkim=pass header.s=ed20240210;

dkim=pass header.s=rsa20240210

Finally here is a screen print of the keys in credstore.nsf

Image:Enable DKIM  for Domino

1Thorsten Ebers  11.02.2024 19:59:38  Enable DKIM for Domino

Hi Daniel, why export the private key ? is it not the public key ?

br Thorsten

2Daniel Nashed  12.02.2024 9:11:40  Enable DKIM for Domino

@Thorsten, ooops good catch. Written too fast ..

Of course this is the public key info.. Thanks! Corrected

3Anja  26.02.2024 7:42:13  DKIM for Domino with Lets encrypt

Hi Daniel,

Many thanks for your detailed explanation. However, it is not yet clear to me, if I need to manually update the DNS each time out Let’s Encrypt certificate is updated.

We configured the certificate updates in the certstore.nsf and added the authorization token of our DNS provider (Cloudflare) there also. Now I would expect that Domino would update the DKIM key on the server and in the DNS automatically after updating the Let’s Encrypt certificate, but this seems not to happen.

After the initial DKIM configuration everything was working correct and now mxtoolbox tells me that the DKIM header is missing and the servers (cluster) have multiple error messages in the log about wrong keys etc.

How can I fix this? Do I always need to manually follow the whole process described in you post again after the Let’s Encrypt certificate is automatically updated?

Sorry for this long comment but I am somehow lost :-(


4Daniel Nashed  26.02.2024 14:24:08  DKIM for Domino with Lets encrypt

Hi Anja,

DKIM keys and TLS Credentials for a Domino server for HTTPS, SMTPS etc are complete different animals.

TLS Credentials are a private key and a certificate + chain.

DKIM keys are private keys on your end and public keys published to a DNS record.

By coincident the ACME protocol also uses DNS TXT records for confirming DNS-01 challenges.

Great that the Cloudflare integration works for you!

-- Daniel

5Ralf Kühnbaum-Grashorn  11.03.2024 16:47:46  Enable DKIM for Domino

Hi Daniel,

what about DKIM-Alignment for mail-in-databases sending with email-addresses with different domains.


In order for an email to be considered DKIM aligned, the authenticated signing domain of at least one of the DKIM keys in the email headers must match the user-visible From address of the email ( also known as the RFC5322. From )

Obviously Domino does not align to the FROM.Field rather than from the SENDER-FIELD, containing the Internet-Address of the sending Notes-User. the dkim-key of this domain is used instead of the address in the FROM-Field (which matters exclusively).

Any idea to get this running? I read the HCL documentation up and down. It succeeds with alternate FROM-Adresses within subdomains of the Internetadress-domain, but not with totally different ones (differing in the domain-part of the address, right-hand from the @-sign).

Thanks for your wonderful, inspiring and helpful blog. As a relative newbie in the Domino world it helped me getting around the occuring stumbling blocks.





    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]