Configure outbound DKIM

Domain Key Identified Mail or DKIM verifies that email is from the domain-configured source and has not been changed in transmit. By configuring DKIM outbound it will increase your domain reputation with different providers.

Email Security comes with a System Message Rule called Apply DKIM. Although this Rule is enabled by default, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.
Each domain covered by Email Security will have its own key, so each domain will need to be configured before it can be DKIM-enabled.

Enabling DKIM for all domains

  1. Obtain the Public certificate details for a domain

Visit your USS Dashboard and click ProductsE-mail SecurityProduct ConfigurationDomains. Click the icon next to the domain you wish to configure.

The full DKIM key will be shown.

  1. Create a DNS TXT record for the domain.

You need to create a txt record for ussems._domainkey.<your domain>. Here is an example of what should be seen on a nslookup. This entry should match the entry found in Step 1.

You'll need to complete Steps 1 and 2 for all the domains on your account and then wait for the domain TTL to expire.
  1. Return to the Domains section and click Verify and Enable DKIM button. The DKIM status will be updated to Success if the DKIM key can be verified against the domain DNS. At least one domain must have DKIM verified in order to enable DKIM on your account.
If you remove all DKIM verified domains, or wish to disable DKIM on your account please remember to Verify DKIM again. If no domains can be verified then DKIM will be fully disabled.

Enabling DKIM for specific domains

If you want outbound mail to be DKIM-signed for some, but not all, of the domains on your account, follow the steps below.

  1. Create a set of Custom Rule Data. Name it "DKIM Signing", and add each domain that should be signed as a separate line.
  1. Create a new Message Rule. Name it "Apply DKIM Signing", and add the following elements:



Final Actions

Direction: Matches Outbound

DKIM Enabled: Matches True

Sender: Matches DKIM Signing

Sender: Does Not Match DKIM Exclusions (optional)

DKIM Signing: RSA Key


  1. Move the rule to top of the Message Rules list (drag and drop) to give it Priority 1.
  1. Disable the System Message Rule called (Default) Apply DKIM signing. Click the toggle, and then click next to (Default) Apply DKIM Signing to switch the Rule to off.

How did we do?