DomainKeys Identified Mail (DKIM): What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication protocol designed to verify the sender’s identity. It utilizes cryptographic algorithms and signs emails with a digital signature so recipients can verify the email was sent from the correct domain. DKIM prevents the illegitimate use of your domain. Email servers verify that the email data was not tampered with during transit.

How does DKIM work?

DKIM uses a pair of cryptographic RSA keys called public and private keys.

The private key must be kept secret and not available publicly, while the public key is published in the domain’s DNS records.

The private key is used to encrypt the digital signature that contains information about the sender. The sending server uses the private key to create the digital signatures. This encrypted digital signature is signed with the email. Recipient servers then use the public key obtained from public DNS records under the specified DKIM selector to verify the digital signature to ensure that the email was sent from the correct domain. Email service providers regularly check for the DKIM signature as part of their authentication practices.

To set up DKIM, these keys must be generated. If you do not have DKIM keys for your domain, generate them for free with EmailGuard.

What is a DKIM record?

A DKIM record is a DNS TXT record that contains the public key used to verify the digital signature. The public key is made up of a string of random characters.

Here is an example of a DKIM record:

v=DKIM1 indicates that the TXT record is a DKIM record.

p=MIGfMA0… indicates that everything after “p=” is the public key.

What are DKIM selectors?

Domains can have multiple keys published in their DNS records. DKIM selectors allow email servers to locate and differentiate between these keys. This is useful for domains that send emails from multiple providers since it allows each one to have its own DKIM record and DKIM signature.

DKIM record names use the following format:

[selector]._domainkey.[domain]

Let’s say your domain is example.com, and you send emails from two different providers. You can generate two DKIM records.

If your selectors are “s1” and “s2”, your DKIM record names would look something like this:

s1._domainkey.example.com s2._domainkey.example.com

Where “s1” and “s2” are the selectors and “example.com” is the domain name.

How do I find my DKIM selector?

To find your DKIM selector, you simply need to inspect the DKIM signature header in any of the emails sent by your domain.

An example of a DKIM signature header:

The digital signature is attached to the DKIM header.

Once you find the signature header, simply locate the “s=” tag. The value associated with that tag is your selector, and in the example above, this would be “s1”.

Setting up DKIM

Checkout our email authentication tools for user-friendly processes to help set up DKIM for your domains.

Simplify your email authentication process with EmailGuard. We'll help you with:

DKIM Lookup

If you are unsure about your DKIM setup, use the DKIM Lookup tool to verify DKIM records for your domain.

DKIM Generator Wizard

The DKIM Generator Wizard offers instructions on setting up provider specific DKIM records for your domains (i.e. Google, Microsoft, Mailchimp, etc.).

DKIM Raw Generator

The DKIM Raw Generator tool allows you to generate raw DKIM records and private/public RSA keys for your domains.

What are some benefits of having a DKIM record?

Well, it is better to have a DKIM record than not have one. A DKIM record can help with your email deliverability. If you do not have DKIM records setup for your domains, you can potentially lessen your chances of landing in the inbox. It is like a trust signal to email service providers that your emails are legitimate. It helps confirm your legitimacy as a sender. This positively improves your overall sender reputation and credibility. Emails that pass DKIM checks are more likely to reach their intended recipient’s inbox rather than being filtered as spam.

DKIM records help improve email security. Email is such a big part of how we communicate, and cyberattackers may try to spoof your domain and impersonate you. DKIM signatures are associated with your domain; they help protect your domain, making it harder for attackers to appear to send emails from your domain. DKIM signatures are attached to your outgoing emails. When the receiving server gets the email, it authenticates the signature using the public key found in your domain’s DNS record. If a DKIM record check fails, it indicates that the email was tampered with during transit and treats the email as suspicious.

DKIM records help improve your domain reputation. Email service providers regularly check for DKIM records, and by consistently passing DKIM checks, you establish trust and legitimacy. This helps build a positive domain reputation by authenticating the legitimacy of emails sent from your domain. This will help improve your email deliverability and chances of landing in the inbox.

Do I need to have a DKIM record?

A DKIM record is important because it helps maintain the legitimacy of an email. It lets the receiving server know that the email is not malicious or spam and was actually sent from an authorized sender. As mentioned, the DKIM record contains an encrypted header that is added to your email. The DKIM header contains vital information that receiving servers can use to authenticate emails and ensure that emails were not tampered with during transit. The receiving server uses the public key that is found in the domain’s DNS record to decrypt and verify the DKIM signature.

It is important to note that DKIM alone won’t protect your emails from malicious cybersecurity attacks. It is always recommended to employ all three email authentication protocols together, SPF, DKIM, and DMARC to ensure email security. SPF records help ensure that emails are sent by authorized senders on behalf of the domain. DMARC is built on top of DKIM and SPF. With DMARC, domain owners can specify how emails should be handled if they fail the DKIM and SPF checks. DMARC monitoring is a great way to get insights on how many of your emails are passing and failing SPF and DKIM checks. Individuals and small and large businesses can greatly benefit from setting up email authentication protocols and regularly monitoring their DMARC reports to improve email security and deliverability.