You own the signing key and publish it in one DNS record, so mail is signed as your domain with no sending-provider name leaking to recipients.
BYODKIM — “bring your own DKIM” — is a sending-provider feature that lets you supply or generate your own DKIM key pair and sign outbound mail under your own domain and selector, rather than relying on a shared signing domain the provider owns. The private key signs the message; the matching public key lives in a DNS TXT record under selector._domainkey.yourdomain.com.
Why it matters
Without it, many platforms sign mail as their own domain. Receivers then show a “via” line — for example via amazonses.com — which looks off to recipients and weakens trust in your brand. It also blocks strict DMARC alignment, because DKIM alignment requires the signing domain (the d= tag) to match your From: domain. With a shared signing domain those don’t match, so DKIM authenticates but doesn’t align. BYODKIM puts your domain in the d= tag, so the signature is yours, the “via” line disappears, and alignment passes even under a strict p=reject policy.
How it works
- You generate (or are issued) a DKIM key pair and choose a selector, e.g.
cr1. - You publish the public key as a DNS TXT record at
cr1._domainkey.yourdomain.com. - The provider holds the private key and adds a
DKIM-Signature:header to each message, signing withd=yourdomain.com. - Receivers fetch the public key via DNS, verify the signature, and confirm the body and signed headers weren’t altered in transit.
For example, an e-commerce store moving support email onto a new platform publishes one TXT record; from then on every reply is signed as their own domain, no provider name leaks, and SPF, DKIM and DMARC all align.
How Cherryrise handles it
Cherryrise uses BYODKIM by default: you publish the DNS records it gives you, and replies are signed as your domain with no Cherryrise name on the envelope. The full walkthrough is in the deliverability guide, and the broader picture is in SPF, DKIM and DMARC explained.