Simple Deployment

This approach will work for pretty much everyone who sends mail for themselves, rather than on behalf of other people. That includes companies and consumer ISPs. Only one token is attached to each email, identifying the sender.

We’ll use a company with the domain name as an example.

Use your domain name, e.g., as the token all email is signed with.

Choose a selector based on the month and the company name, e.g. feb2009.zebra.

Generate a key pair, as described in section 1 of the specification, then add a single TXT record to your main DNS servers. That TXT record will be for and the content will be as described in section 2 of the specification. The wizard at can help with this step.

Attach a single token to each outbound email. If you’re using a DKIM signer with no DKIM Core interface to do that, see here.

If you need to add additional tokens (to support a third-party service, perhaps) they can be added independently either before or after the process described above.

If you need to update the key pairs used to sign mail, either because they may have been compromised or because you just want to update them regularly you can do that fairly easily. Create a new key pair and a new selector for each customer, e.g. feb2009a.zebra or mar2009.zebra, and add that to your main DNS server. Start using those keys to send email. After a few days, when you’re sure all the mail sent using the old key has been delivered, simply remove the old keys from your nameservers.