You are here: Email Marketing / EmailLabs > Setting Up and Using DKIM/DomainKeys > DKIM/DomainKeys Overview

DKIM/DomainKeys Overview

Only Administrators with the Edit Global Email Settings permission can set up and edit DKIM/DomainKeys. For information about permissions, see Changing User Permissions.


For information about setting up DKIM/DomainKeys in Lyris HQ, see Setting Up and Using DKIM/DomainKeys in Lyris HQ. For information about setting up DKIM/DomainKeys in EmailLabs, see Setting Up and Using DKIM/DomainKeys in EmailLabs.

What is DKIM/DomainKeys?

DomainKeys is an email authentication system that email providers use to verify that a message came from you and was not altered by anyone along the way.

DKIM is very similar in functionality to DomainKeys, with enhancements that provide more flexibility and security.

Lyris uses both DomainKeys and DKIM for compatibility with more email systems.

Why use DKIM/DomainKeys?

Using DKIM/DomainKeys is one of several ways to ensure that your messages are delivered to recipients' in boxes and to reduce the chance that someone will impersonate your domain and use it for fraudulent purposes, such as spam and phishing attacks.

How does DKIM/DomainKeys work?

DKIM/DomainKeys uses a digital signature to identify and verify your domain.To accomplish this, DKIM/DomainKeys creates a private key for signing messages and a matching public key for verifying that signature. The private key is stored in your outbound email server, and the public key is published in Domain Name Server (DNS).

When you send a message, your email system:

1. Creates the private/public key pair.

2. Assigns the key pair to a selector.

Tip: For more information about selectors, see What are selectors?

3. Uses the private key to generate a digital signature for the message.

4. Creates the DomainKey-Signature: header and adds the signature to that header.

5. Sends the message to the recipient's email system.

The receiving email system:

1. Retrieves the public key from DNS.

2. Verifies that the signature was generated by the matching private key.

If the keys match, the messages passes the signature test. This proves that the email was truly sent from your domain and wasn't altered along the way. After the message passes the signature test, and if other anti-spam tests don't catch it, the email system delivers the message the recipient's inbox. If the message fails the signature test, the email system can drop, flag, or quarantine the message.

What are selectors?

A selector is the name of the public/private key pair used to sign messages. You can create several selectors for each domain, but your email system will use only one of them, called the master selector, to sign messages.

Why use multiple selectors?

For security reasons, you might want to periodically change your selector, similar to the way you periodically change your passwords. However, if you remove a selector and create a new one, messages that use the existing selector will fail the signature test. For example:

You use the s2010a selector for messages you send in 2010. On January 1, 2011, you create a new selector, s2010b for messages you send in 2011.

You send a message on December 31, 2010, but some recipients might open the message after January 1, 2011. If you remove the s2010a selector, the email system will no longer consider s2010a a valid key and the message will fail the signature test. However, if you keep the s2010a selector and set the s2010b as master, messages with both s2010a and s2010b selectors will pass the signature test.

How do you set up DKIM/DomainKeys?

If you are using the default Lyris HQ address (for example, ) your messages are automatically signed with DKIM/DomainKeys and you do not need to do anything.

If you are using your own address (for example, or an address set up with domain masking (for example,, you need to set up DKIM/DomainKeys for each domain. When you select a domain, Lyris HQ creates the public/private key pair and a selector. You then need to publish the selector to DNS.

Tip: For instructions for setting up DKIM/DomainKeys, see Setting Up and Using DKIM/DomainKeys in Lyris HQ and Setting Up and Using DKIM/DomainKeys in EmailLabs.

What do you want to do?

Set up DomainKeys using Lyris HQ

Set up DomainKeys using EmailLabs