Description
The article describes how to use the DKIM key pair of a parent domain and publish it on the DNS servers, in order to sign outbound emails of associated domains.
Scope
All FortiMail
Solution
Firstly, create a new DKIM key pair on FortiMail for the parent domain.
This process is described in the KB below to create key pair and publish the public key to DNS server.
How to generate DKIM key: https://community.fortinet.com/t5/FortiMail/Technical-Tip-How-to-generate-DKIM-key/ta-p/193173
Secondly, publish the DKIM public key for the associated domains in order for the receiving MTA to validate the DKIM signature.
FortiMail performs DKIM signing for an associated domain with its parent domain DKIM key.
The DNS TXT record value will be the same for parent domain and for the associated domains, however the name of the published keys will be different for each domain.
The DKIM record names follow a specific pattern and the queried records for each domain will be:
1) For 'lab.com': selector._domainkey.lab.com
2) For 'example.com: selector._domainkey.example.com
3) For 'example.org': selector._domainkey.example.org
Then, activate the key pair from the domain settings and 'Enable DKIM signing for outgoing messages' in the Session Profile (under 'sender validation') applied to the matching IP Policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.