Outbound DKIM Signing - New Feature setup headaches

I am going to try and post this on the community hoping that it saves someone some time and headache. Sophos has finally just released the ability to sign outgoing mail with DKIM. The instructions are missing a very important piece of information. When you create the TXT record you must append the following to the “Name” field of the record that Sophos gives you:


It must include the period before _domainkey Your txt record "name" should look like sophos3253452435bunchofnumbersandletters3445._domainkey

I am also getting a false negative when validating the TXT record within the Central dashboard where you configure the DKIM key. It states that there is a mismatch but, that’s not correct. DKIM checkers using the selector and domain name show correct when checking the DNS. Once I activated the feature ignoring the dns mismatch error and sent test emails to mail-tester.com and mailtest@unlocktheinbox.com both tests confirm that the emails are being signed correctly.

**Also take note. If you have multiple domains, the key will remain the same, but you will have a different selector for each domain. This is the “Name” field. You can find this by going back to the domain list and then clicking on the  domain key link you will notice the “name” is different for each domain. You will need to create a TXT record for each domain.

  • Unfortunately, the Help in Central DKIM is not good. This will be fixed in the upcoming release to reflect your feedback.

    You are completely right, the DNS Settings need to be done like this. 

    The DNS Check should work? At least if you use it with the Selector, shown by Central: 



    At least this worked for most of us right now. 


    Whats your general Feedback about this Feature and the Handling of DKIM outbound? 

  • In reply to LuCar Toni:



    Thanks for the reply. I also would agree about the documentation hoping that it will save someone some frustration. 


    Selector is correct and all is working but, DNS check still fails for us. 


    Feedback is good so far. No issues other than the info to enable the feature and set up the TXT record. Something we have been waiting a LONG time for. In fact. I just installed a plugin 2 weeks ago to do DKIM signing on the exchange server itself. This was open source software and stopped working 2 days before I seen the announcement for this feature so it was very welcomed. I think this will help with email delivery. 



  • In reply to Michael Gates:



    I am so much missing this feature, but where did you find info on that, I cannot find it in central or in the docs??