Domain Keys Identified Mail (DKIM) is one of the email authentication protocols, developed in 2004. It adds a digital signature header to your email. The signature acts like a watermark, allowing recipients to verify that the message really came from your domain, and not an impersonator. Additionally, it can be used to guarantee that the email header and contents have not been tampered with. This article explains how DKIM works and how to add a DKIM record to verify your emails.
How DKIM really works
DKIM comes into play at the very last moment before the letter leaves the outgoing SMTP server. Your DKIM-enabled server takes the fully assembled email and calculates a digital signature for the email’ s body and some of its technical headers. Of those, the From header is always included, but the server may be set up to include other headers, such as To, Subject, Date, etc. The signature is created using the domain’s private key which is securely stored on the server.
The server then adds a special DKIM-Signature header containing the digital signature to the email. This header also includes other relevant information, such as the signing algorithm, the domain identifier, the list of headers included in the signature, etc.
When a receiving mail server gets the email, it uses the public key from the domain’s DNS records to verify the digital signature in the email's DKIM header. Any attempt to forge an email or alter an existing one on the fly will lead to verification failure, since the required private key can only be accessed by the true domain owner. If the signature can't be verified, the message is considered inauthentic.
Verification failure, however, does not mean the message is always rejected. The outcome is not determined by the DKIM system; instead, the receiving server may be configured to tag the message as suspicious or assign a spam score that will affect the result of further checks. The recommended action may be also outlined by the sender using another authentication technology called DMARC (Domain-based Message Authentication, Reporting and Conformance).
What is a DKIM record
To verify an email purportedly coming from a particular domain, a public key should be made accessible by the sender domain’s owner. For this purpose, a TXT record is added to the domain's Domain Name System (DNS) configuration, storing the public key a receiving mail server will use to verify an incoming message's authenticity.
If you are running your own mail server, you probably already know how to set up your mail server for DKIM and add a DNS record (or have a dedicated staff member to do the task). But if you’re using an external email service provider (ESP), like UniOne, the ESP will provide a record, which you’ll add to your domain’s DNS settings. The ESP attaches the digital signature header to all emails sent on your behalf.
What a DKIM record looks like
A DKIM record consists of two main parts:
- Content (including the public key)
The name follows this structure: [selector]._domainkey.[domain]
- The selector is a special value issued by your email service provider.
- ._domainkey. is a fixed part of all DKIM records.
- domain is the domain name you’re sending emails from.
An example is “big-email._domainkey.myschoolsupplies.co”.
The content includes the public key along with some additional info. Here’s an example:
- v refers to the version of DKIM.
- k indicates the type of key, in this case, an RSA public key.
- p contains the key itself.
When adding the DKIM record to DNS configurations, the Name is for the host, and the Content for the value (see image below). The record type must be TXT, and the TTL (time-to-live) is whatever you wish.
How do I add a DKIM record?
You add it as a TXT record via your domain registrar. Follow these steps:
- Open the registrar that hosts your domain and subdomain. Examples of popular domain registrars include Namecheap, Hover, Google Domains, Bluehost, etc.
- Head to the domain you want to add the record to and choose DNS configurations. Virtually all registrars allow you to add custom DNS records for a domain name.
- Click the button to add a new record.
- Add the DKIM record as a TXT entry, with the Name as the host and Content as the value.
- Select the Time-to-Live (TTL). TTL is the duration for which servers and browsers cache the DNS record. TTL affects how long it will take for a new entry to take effect. However, consider that the actual propagation time depends on various factors. In most cases, it’s safe to choose the default value.
- Wait for the new DKIM record to propagate.
How do I verify my DKIM record?
After adding the record, you should always check whether it works properly. You can use many free online tools to verify that your newly added DKIM record has been reflected on the public DNS system. Some tools will also allow you to check the record’s syntax before it is added. Examples include:
Can a domain have multiple DKIM records?
Yes, a domain can have multiple DKIM records for different mail servers utilized by that specific domain. For example, if you have separate email subsystems for different departments, each one may have its own DKIM setup. It works as long as the different DKIM records have different selector names.