How DKIM Works With Subdomains?

We will go over how DKIM works with subdomains in this article.

How DKIM works in the subdomain scenario?

If you want to send an email from a subdomain, like bob@marketing.acmecorp.com, you will need to create a private/public key pair for DKIM, save the private key on the sending server, and publish the public key on the subdomain in the DNS so that it becomes accessible to the receiving server.

Before an email message leaves the sending server, the server uses the private key to generate a signature and insert it into the message along with the DKIM selector used for the signature.

After the receiving server receives the message, it extracts the subdomain and the DKIM selector from the message, uses them to fetch the public key from the DNS, then performs DKIM verification as in the domain scenario.

How to publish an DKIM record on a subdomain

Publishing an DKIM record on a subdomain is very similar to that on an organizational domain. All you need is to create a TXT record on that subdomain:

selector._domainkey.subdomain IN TXT    "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChO2bjcaTip6yeIZ0BDQ70YH+fzqqVeIOztZFQ8kZFqUSDwBhh3aad/3kGH95OQZyXCMv0DmrHa9z99c7p7VnOBtrZ6vkEv84kLabsNL//ABydUbxFT+8SSc0EJxXL6k9S3NEvbL+5rJGjcAtWMJSxj9rOZ79C8AoJEKVnk2m9awIDAQAB"

For example, here is how you publish the DKIM record under selector dkim on subdomain mail.dmarcly.com on CloudFlare: