Article by on October 14, 2021, last modified on October 15, 2021

This will help you setup DKIM:

I also tried this one, but I don't think I used it:

This will help you setup SPF record:

And, of course, if you need to check your DKIM you can use Gmail itself with this how-to:

And testing SPF:


1 - Create the private key

$ openssl genrsa -out 1024

2 - Create the public key

$ openssl rsa -in -pubout -out

Go to enter in values.

DKIM Signature

DKIM is going to be two parts: (1) setting up your DNS record, and (2) modifying your mail sender to add DKIM signatures. DKIM is just a Public Key Infrastructure (PKI) protocol, similar to SSL certificates: you create a public and private key, the public key you put in a DNS record and the private key is used on your mail server to sign emails (the signature goes into an email header). Setting up the DNS record is easy, setting up the email signatures is hard.

This tool will help you create the DNS record: which helps you create your DKIM DNS record. Here is an image of what I used:

I'm not sure what DNS service you use, but it should allow you to create a "TXT" record. It should be key/value, so "TXT" for the key and the value is the big blob of text starting "v=DKIM...".After you've added your DNS record, you can then verify it at:

For example, under the "Check a published DKIM Core Key" section, type in "jp052013" as the selector and "" as the domain and it will show you a valid DKIM record. I'm not sure what the validation does exactly, but it ended up working. Here is an image of my validation:

So, all of THAT ^ was just for setting up your DNS record.

Now comes the hard part: getting your mail server to send DKIM signatures with emails. Mine was easy because I was sending email via a PHP script, so I just modified the PHP script. For you, you'll probably have to dig into forums for whatever mail daemon you're using or maybe even find a mailing list to get help.

Once that's all done, you can check to see if Google or Hotmail's mail servers see the DKIM signature as valid by looking at the info Gmail/Hotmail gives you. Here's a screenshot of a valid signature coming from my mail server:

You can also look at the raw mail and see the validation for both the SPF and DKIM:

Received: by with SMTP id h3csp397948lfi;
Sat, 8 Nov 2014 16:27:27 -0800 (PST)
X-Received: by with SMTP id x102mr29397035qgx.69.1415492846964;
Sat, 08 Nov 2014 16:27:26 -0800 (PST)
Return-Path: <>
Received: from ( [])
by with ESMTPS id b1si24418801qcs.38.2014.
for <>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 08 Nov 2014 16:27:26 -0800 (PST)
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;
spf=pass ( domain of designates as permitted sender);
Received: by (Postfix, from userid 33)
id D8D772FC710; Sat,  8 Nov 2014 19:27:25 -0500 (EST)
To: Joe Purcell <>
Subject: Visit to Cincinnati
X-PHP-Originating-Script: 33:class.phpmailer.php
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=13058; s=jp052013;
t=1415492845; c=relaxed/simple;
Date: Sun, 9 Nov 2014 00:27:25 +0000 +0000
From: "Joseph D. Purcell" <>
Message-ID: <>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (
MIME-Version: 1.0
Content-Type: multipart/alternative;

Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit


SPF Record

SPF is just a TXT DNS record. You don't need to do anything on your server.
Microsoft had a great tool here:

but, it no longer works. People are complaining about it here:

Instead, here are two wizards I found (but haven't used):

You might have to do some research to know what the inputs should be. But, they should be comparable to You can see what mine is by using a validator: (link no longer works, use instead)

Here is an image of my SPF validation:

Oct 2021 update: "PTR" should not be used:

Older Articles »