# DKIM\_BUILDER DNSControl contains a `DKIM_BUILDER` helper function that generates DKIM DNS TXT records according to RFC 6376 (DomainKeys Identified Mail) and its updates. ### Examples #### Simple example {% code title="dnsconfig.js" %} ```javascript D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER), DKIM_BUILDER({ selector: "s1", pubkey: "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC5/z4L" }), ); ``` {% endcode %} This yield the following record: ``` s1._domainkey IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC5/z4L" ``` #### Advanced example {% code title="dnsconfig.js" %} ```javascript D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER), DKIM_BUILDER({ selector: "k2", pubkey: "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC5/z4L", label: "subdomain", version: "DKIM1", hashtypes: ["sha1", "sha256"], keytype: "rsa", note: "some human-readable notes", servicetypes: ["email"], flags: ["y", "s"], ttl: 150 }), ); ``` {% endcode %} This yields the following record: ``` k2._domainkey.subdomain IN TXT "v=DKIM1; h=sha1:sha256; k=rsa; n=some=20human-readable=20notes; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC5/z4L; s=email; t=y:s" ttl=150 ``` ### Parameters * `selector` (string, required): The selector subdividing the namespace for the domain. * `pubkey` (string, optional): The base64-encoded public key (RSA or Ed25519). Default: empty (key revocation or non-sending domain). * `label` (string, optional): The DNS label for the DKIM record. Default: `@`. * `version` (string, optional): DKIM version. Maps to the `v=` tag. Default: `DKIM1` (currently the only supported value). * `hashtypes` (array, optional): Acceptable hash algorithms for signing. Maps to the `h=` tag. * Supported values for RSA key: * `sha1` * `sha256` * Supported values for Ed25519 key: * `sha256` * `keytype` (string, optional): Key algorithm type. Maps to the `k=` tag. Default: `rsa`. Supported values: * `rsa` * `ed25519` * `note` (string, optional): Human-readable notes intended for administrators. Pass normal text here; DKIM-Quoted-Printable encoding will be applied automatically. Maps to the `n=` tag. * `servicetypes` (array, optional): Service types using this key. Maps to the `s=` tag. Supported values: * `*`: explicitly allows all service types * `email`: restricts key to email service only * `flags` (array, optional): Flags to modify the interpretation of the selector. Maps to the `t=` tag. Supported values: * `y`: Testing mode. * `s`: Subdomain restriction. * `ttl` (number, optional): DNS TTL value in seconds ### Related RFCs * RFC 6376: DomainKeys Identified Mail (DKIM) Signatures * RFC 8301: Cryptographic Algorithm and Key Usage Update to DKIM * RFC 8463: A New Cryptographic Signature Method for DKIM (Ed25519) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dnscontrol.org/language-reference/domain-modifiers/dkim_builder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.