DKIM is an email authentication method designed to detect email spoofing. This protocol lets an organization (sending domain) take responsibility for a message that is in transit using a DKIM signature and also provides the receiver a means to validate a domain name identity that is associated with a message.  Both are achieved through cryptographic authentication and encryption.


  • Admin access to MPmail
  • For DKIM Signing (outgoing) : Access to edit your DNS host file.

IMPORTANT : Please allow 72 hours from DKIM enablement to the service becoming active.

The Process

If you already have DKIM signatures implemented, they will remain as is in the message header as the email passes through our relays.

Manage Protect offers DKIM Signing and DKIM Checking Services

By default, DKIM is not enabled, but it can be enabled at no additional cost. All you need to do is follow the steps below.

Enabling DKIM Checking for inbound mail

In the MPMail control panel, enter the domain in the scope selector, and go to Security Settings, Email Authentication and Enable 'Activate DKIM validation for incoming emails'

Logging of inbound email filtered by DKIM

Messages for which the DKIM signature does not match the corresponding entry in DNS will be quarantined. In the spam report and in the control panel, the affected emails are marked as spam and can be delivered as required.

In the MPMail Control Panel email details, in the Reason field, you will see 'dkim failure' if DKIM applies to a specific email.

Enabling DKIM Signing for outbound mail

To setup DKIM Signing, you must use a CNAME record to refer to the public key in Manage Protect's DNS:

Set the following CNAME record in the corresponding DNS zone of your domain and any alias domain(s) that relay outbound via MPmail:

  1. Add two new CNAME records:
    1. Enter hostname hse1._domainkey.DOMAIN.TLD
      (Enter your actual domain for DOMAIN.TLD)
    2. Point to
    3. Save the record
    4. Enter hostname hse2._domainkey.DOMAIN.TLD
      (Enter your actual domain for DOMAIN.TLD)
    5. Point to
    6. Save the record

For example, to set the records for, you would add
CNAME to point to AND

CNAME to point to

If you only want to use DKIM to check incoming emails (validate only), you do not need to set the CNAME record.

In the MPMail control panel, enter the domain in the scope selector, and go to Security Settings, Email Authentication. Confirm that the DKIM status for the domain has been checked successfully. The MPmail control panel only updates DNS every 24 hours, so you may need to wait for this to check successfully.

If so, you can enable 'Activate DKIM signature for outgoing emails'

Once activated, your outbound email will have a DKIM signature appended in the header as it passes through our relays. The ‘h’ tag will contain the following list of headers. These elements must remain unchanged while the email is in transit otherwise the DKIM signature will fail authentication.