I have an internet domain name that is currently not used for mail. Various articles on the web suggest creating DNS records to protect the domain name from spoofing and phishing, etc. One piece in particular is causing me difficulty: a TXT record for DomainKeys Identified Mail (DKIM). The record should have a name of Code: *._domainkey and the following value: Code: v=DKIM1; p= My domain registrar does not seem to allow the necessary name. As soon as I type the first two characters (ie, "*."), the DNS web interface marks the entry as invalid. The alert does not occur with an asterisk by itself. When I add the period, the alert occurs. Is it possible that some registrars do not allow wildcard records? One solution is to transfer DNS management to Cloudflare, which I would prefer not to do. What are the possible consequences of setting records for SPF and DMARC and omitting DKIM?
You can omit DKIM (but it's not recommended) and use SPF/DMARC. If there is no DKIM record for your domain, some systems may treat your messages as "probably spam". SPF (at least) is strongly recommended! Try to create a mail._domainkey TXT-record, not *._domainkey. "mail" is a selector. Generally you can use any selector you want, but it must correspond with s= field in your outgoing messages. You may want to read more about DKIM and how it works: https://powerdmarc.com/what-is-dkim/
Our email provider does not even offer DKIM but definitely set up your SPF records. I have mine collecting reports so we can see who is trying to spoof us. It's amazing how many people in CN and RU are trying to use our email domains.
Thanks for the input so far. I think what I'm trying to do is a little out of the ordinary: create a DKIM record that is a recognized (or recognizable) placeholder. Perhaps that's why people suggest using a wildcard instead of an explicit name such as the one suggested by Dmitry_rus: Code: mail._domainkey I should emphasize, as noted: The domain name in question is not involved with sending and receiving mail. There will be no outgoing messages in which to use the "s=" field appropriately. Again, this might be the reason why a wildcard is required. Is it common these days for mail hosts to not offer DKIM?
If you're not sending email I would think DKIM is not worth setting up. It's a digital signature that verifies the email hasn't been tampered with. If you're not sending it is to no effect that I am aware of. SPF/DMARC should be enough to stop others from spoofing your domain and getting away with it. Set that up and set it to have email that doesn't originate from your host deleted. I'm not sure how common it is to offer/not offer DKIM, it seems a mixed bag. Our provider does not. They claim they will add it later.
This is what Fastmail writes about the necessity of DKIM: https://www.fastmail.help/hc/en-us/articles/4627098536207-Why-do-I-need-DKIM-
xxJackxx, you might be right that getting my DKIM record set correctly will make no difference. XIII, I agree DKIM is important. For a domain name that does send mail, I strongly prefer having it enabled correctly.
You should create 2 TXT-records for domain in your DNS: SPF and DMARC. SPF: v=spf1 -all It's important to note that you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top-level domain. _dmarc v=DMARC1; p=reject; adkim=s; aspf=s
Thanks. That's how I did it. The only thing I did differently was add the following for DMARC: Code: sp=reject Does each subdomain get its own DMARC record and SPF record?
You shouldn't use sp tag, unless you have several subdomains with it's own (different) policy. If the organizational domain has a DMARC record with a policy (p tag) but no subdomain policy (sp tag), while the subdomain(s) doesn't have a DMARC record, the subdomain(s) inherits the organizational domain's p policy. SPF policies do not automatically get inherited by subdomains. https://powerdmarc.com/do-i-need-spf-for-subdomains/ https://dmarcly.com/blog/how-dmarc-works-with-subdomains-dmarc-sp-tag
