ESET Online Help

Search English
Select the topic

DKIM Signing

DomainKeys Identified Mail (DKIM) signing is a method to secure outbound email messages and make verification easier. This method gives receiving mail servers an accurate way to distinguish genuine messages from spam.

DKIM authentication works the following way:

Outbound email message headers are signed with DKIM private key

Receiving mail server checks the DNS DKIM record that contains a public key

If the signature with the private key in the message headers matches the DNS DKIM record public key, the email is considered genuine and is delivered to the recipient(s)

If the signature and public key do not match, what happens to the email message depends on the receiving mail server's configuration (it may have specific rules in place, for example ESET Mail Security uses the DKIM result rule condition for this purpose)

To use the ESET Mail Security DKIM Signing feature, ensure you have the DNS DKIM record configured for your domain. For details on creating a DKIM record, see the What is DKIM record and how to create it? article. The article also includes an example of a DKIM record. Also, you can try using an online DKIM Generator to generate DKIM private and public keys.

When done, we suggest you use the DKIM Record Checker or MXToolBox to verify that the public DKIM key is present and the syntax is correctly implemented.

Configure DKIM Signing in ESET Mail Security by specifying DKIM domains and a list of email headers to be signed. DKIM signature is added to selected message headers. Each DKIM signature contains information that mail servers can use to verify an email message's authenticity as they pass it to the final destination. If you are using multiple domains for outbound messages, you can configure DKIM Signing for each domain separately.


Enable DKIM signing under Server > Integration in Advanced setup. For Agent priority setup, we recommend you keep the ESET DKIM Agent priority in last place, at the bottom, to ensure the headers are signed last after any modifications done by previous agents.

DKIM domains

Define settings for each domain for DKIM signing. Click Edit to open the DKIM domains window. Click Add to create New DKIM settings or Edit to modify existing ones.

Domain—Type in the domain (for example, domainname.local)

Selector—Specify a selector for a DKIM signature attribute; it is then is recorded in the DKIM-Signature header field

Client certificate—Click Select and choose the client certificate used for DKIM signing


List of email headers to be signed

Click Edit to open the List of email headers to be signed window, click Add to add new headers or Edit to modify existing headers in the list.