Mail for domain

DKIM signature

With a DKIM signature, the email recipient can verify that the message really came from the supposed sender.

To set up a DKIM signature for messages sent from your domain, you just need to create a TXT record for your domain with a public key signature. To sign messages that you send using servers other than Yandex servers, you also need a TXT record with a secret key. You need to configure it on the server that email is sent from.

If you delegated your domain to Yandex, the DKIM signature and the public key are set up automatically. You can view it and edit its parameters in the DNS editor in Yandex.Mail for Domain.

You can get the values of both public and private keys using the API (only the public key can be accessed in the Yandex.Mail for Domain interface). To manage TXT records, you can usually go to the DNS management page on your DNS hosting company's website.

General instructions for setting up the DKIM signature

  1. Get the TXT record with the public key in Yandex.Mail for Domain:

    1. Open the My domains page. Click the link with the name of the domain. Domain ownership must be confirmed.

    2. In the right column on the page, find the section DKIM digital signature and click Display record content. This section might not be shown if the DKIM signature has already been set up. In this case you can view the public key in the record value in the DNS editor.

      The record consists of three parts:

      • The record name (“mail_domainkey”). In some control panels, you need to specify the full subdomain name, such as "mail._domainkey.yourdomain.tld".

      • DKIM parameters:

        v=DKIM1;
        k=rsa;
        t=s;
        p=MIGfMA0GCSEBtaCOteH4EBqJlKpe...

        The p parameter contains the public DKIM key.

      • The domain (“DKIM key mail for yourdomain.tld”).

  2. Copy the record contents.

  3. Open the DNS editing page in the control panel on your DNS hosting company's website.

  4. Create a TXT record with the following field values:

    • Name — “mail._domainkey”. In some DNS control panels, you also need to specify the domain for the public DKIM key, such as “mail._domainkey.yourdomain.tld”.

    • Value — The parameters of the DKIM with the public key obtained in Yandex.Mail for Domain.

      For example, “v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSEBtaCOteH4EBqJlKpe...”.

    To sign messages sent from non-Yandex servers, you also need to get a private key (for our service, the only way to do this is using the Yandex.Mail for Domain API). When you get the key, you must enter it on the server that is used for sending email.

  5. Wait while the changes take effect in DNS. This process may take up to 72 hours.