0

I'd like to setup a DKIM record on GoDaddy shared hosting with cPanel (I don't want to move the DNS server). Normally cPanel makes creating DKIM records trivial, but in cPanel on GoDaddy shared plan Email > Authentication is not available. Can I instead use public and private keys created using Email > Encryption, would these keys work for DKIM? This poster seems to think so.

After creating the keys I tried to set up the DKIM record in the GoDaddy DNS control panel using:

Type: TXT
Name: default._domainkey
Data: v=DKIM1;p=mQENB....

Should the selector part in the name be something other than 'default' and if so how do I determine what it is, or should the Name simply be '@'?

For the Data field, should it be v=DKIM1 or v=DKIM? Should the private key hash be converted to base64? Either way when I add the key the string makes the record too long for the GoDaddy Data field which returns an error.

How can I split the record, if I try encapsulating the record in double quotes and then splitting the key with 2x double quotes with a space in between it gives the same error?

This post suggests that some have been successful (but maybe only on VPS and Dedicated hosting).

UPDATE: The DKIM record has been added in the DNS and it checks out ok on mxtoolbox.com, and the host says that it will work fine without the private key. Further related reading.

Rohit Gupta
  • 390
Nick
  • 11
  • DKIM could not possibly work without private key. Period. It is actually used each time your server signs a message. You can perfectly sign and not have a public key in the DNS, although this signature would be impossible to verify — this is what the link is about. Also, if you set up a DMARC policy which requires signing (which you should do), not verifiable mail will be rejected or at least considered spam by receiving parties. – Nikita Kipriyanov Jun 08 '23 at 08:05
  • Thank you Nikita for your clarification. I didn't believe it possible, but that's what support from a GoDaddy owned company were telling me. – Nick Jun 09 '23 at 08:18
  • Either you didn't understand them or they were mistaken. The link talks about public key in DNS and not about a private key, so it doesn't contradict what I say. – Nikita Kipriyanov Jun 09 '23 at 16:06

1 Answers1

1

The selector should match whatever you configured in the mail server that uses the corresponding private key to DKIM-sign outgoing mail.

For instance, if you configure some server to sign with the selector "abracadabra", it will create a DKIM signature with the s=abracadabra in the header, so whoever wants to check the signature will know they need to lookup the public key in the DNS record abracadabra._domainkey.example.com.

Nikita Kipriyanov
  • 12,569