DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.
Starting in 2004 from merging two similar efforts, “enhanced DomainKeys” from Yahoo and “Identified Internet Mail” from Cisco and has since been widely adopted for email authentication.
How does DKIM work?
DKIM gives emails a signature header that is added to the email and secured with encryption. This DKIM signature acts as a tamper-proof seal for an email to verify that it has actually come from the domain it says it does and that it hasn’t been tampered with.
To use DKIM, email servers are configured to attach special signatures to the emails they send. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.
What is a DKIM Signature?
Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, called the “public key.”
DKIM selectors are found in the DKIM-Signature header and indicate where the public key portion of the DKIM keypair exists in DNS.
Why is DKIM important?
If you are a business that sends commercial or transactional emails, it’s critical to use both SPF and DKIM. Not only will these protocols protect your business from phishing and spoofing attacks, but SPF and DKIM ultimately help protect your customer relationships and brand reputation. However, these are only just a few of the many steps you can take to ensure business-critical emails reach your customers’ inboxes on time and don’t end up in spam folders.
Note: The problem with DKIM is that because it’s more difficult to implement, fewer senders have adopted it. This inconsistent adoption means that the absence of a DKIM signature does not necessarily indicate the email is fraudulent.
How does DKIM affect email deliverability?
Adding a DKIM signature to your email’s header adds another layer of authenticity to your campaigns. DKIM, along with SPF and DMARC make up the dream team trio of email authentication and security. Together, they work in synergy to prevent email spoofing and make your emails more trustworthy.
How do I create a DKIM record for a domain?
- Create a list of all domains and sending services (such as marketing campaign platforms or invoice generators, also referred to as ESPs) that are authorized to send an email on your behalf. Contact them and request DKIM to be configured and that you need a copy of the public key.
- Generate the key pairs. Here are a few options:
- If your organization has its own email server, it may have native DKIM functionality. Check the available documentation for the public/private key generation and policy record creation (or check in with your IT staff who are responsible for the server).
- There are third-party tools available to generate the DKIM record. Note: check with your organization’s security policy prior to utilizing third-party tools.
- To create the keys without a third party, an open-source project called opendkim is available.
- DKIM keys also can be generated via openssl.
How do I add a DKIM record?
- Publish your public key to your DNS record as a text (TXT) record. Check with your DNS provider to see if they allow more than 255 characters in the input field or not, as you may have to work with your provider to increase the size or to create the TXT record itself.
- Save the private key to your SMTP server / MTA (mail transfer agent).
How can I test my DKIM record?
You can test it using folderly.com or contact our team.
What does the Folderly email test tool cover with regards to DKIM?
- no_dkim_record – DKIM DNS Record existence
- dkim_not_verified – DKIM Verification
- generic_dkim – DKIM Signature from Author’s / From Envelope domain
How to test DKIM by sending an email to a Gmail account.
- Open the email in the Gmail web app
- Click on the down arrow next to the “reply” button (top right of email)
- Select “show original”. In the original, if you see “signed-by: [your domain name]” then your DKIM signature is good
Can I have multiple DKIM records?
A domain can have as many DKIM records for public keys as servers that send mail. Just make sure that they use different selector names.
If you have any questions about DKIM records or deploying DMARC, don’t hesitate to contact us.