What is DKIM?

What is DKIM?

DomainKeys Identified Mail (DKIM) signature proves that the email is authentic and that the sender was authorized to use the domain name in the sender address. DKIM is defined in RFC 6376.

To use DKIM, an RSA key pair is created by the system that sends the email, this can be your email server, but also a cloud service such as Microsoft 365 or Mailchimp. The private key remains on the email server, the public key is shared with the domain owner. The domain owner publishes the public key through DNS as a DKIM record. The DKIM record is placed in the DNS zone of the domain that wants to allow the email service to send email for the domain.

The sending server automatically adds a cryptographic signature to every email that it sends using the private key. Any email service receiving the email will request the public key through DNS, and validate the signature using that public key.

If the signature is valid, it proves that:

  • The sending server is authorized by the domain owner to send email for that domain.
  • The email is authentic (not a single letter in the email was changed during transport)

By publishing a DKIM record in your DNS, you are saying "Any email service that proves it has access to the corresponding private key (by adding the signature) is allowed to send email for this domain."

By adding a DKIM signature to an email, the sender is saying "Here is proof that I have access to the private key that corresponds to the public key that you will find in the DNS of the domain that I am sending for"

By validating a DKIM signature of an email, the receiver is saying "I have found proof that this email is authentic and the sender was authorized to send email for this domain"

The DKIM DNS record

The public key to validate the DKIM signature is published in a DNS record for the domain. A DKIM record is of type TXT and must be placed in at address [selector]._domainkey.[domain]. The selector is an identifier for the DKIM key, more about this later.

A DNS query on [selector]._domainkey.[domain] may only result in 1 TXT type record maximum. If you have multiple keys, you can publish each corresponding public key with a different selector. That way different private keys can be used to sign the email. For example: You can have a key for your own mail server and one for a third party such as Mailchimp.

DKIM keys are not meant to ever change. If you need to use a new DKIM key, you should use a new selector also. Because DKIM records never change they can have a high time-to-live (TTL) value. A TTL of 1 day (86400 seconds) or more is not uncommon for DKIM records.

Here is an example of a DKIM record:

google._domainkey.kdmarc.com. 86400 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9wBAQEFAAOCAQ8AMIIBCgKCAQEAgAF0AKrnAY2oscOh7jlBBPJDHgWO/HR/TxPr18yG6uFs3jVLkz1qZpI0QJX90aVnpPiu1C+6MZzUwzYYY/f8g8rVGxwj2D/anjih4sKUFmun2IluFiS93RcPZXYWNXor4gALdsdAVB7ak4/30l0uVAU3OEwFX77yWNT6BDSiobfpKMDG4TV4iZiohOlc1gHHX" "HYbLbcQ1uM9CLPkuqHKQkudLjvAbvl0eqDtAzThAahsmhl5Lc7Qru1SJShv47RxzIxShBL6MGTxEGiIR09244oQf++CmKCT8TPxptT/Y6mrLO5+t//dlvSVLsrKhF6xqZWwSOL0pskJiDdqDAxDGQIDAQAB"

We have a DKIM inspection tool available here, you can use it to inspect and validate a DKIM DNS record.

Field specification

The following information can be placed within a DKIM record:

vOptionalThe version field. The default is DKIM1, which is currently the only acceptable value.
hOptionalA colon-separated list of acceptable hash methods to be used with this key. Supported methods are sha1 and sha256.
kOptionalThe type of key. Valid values are rsa or ed25519
nOptionalNotes for the record, such as an identifier. Intended for humans (administrators), validators ignore this value.
pRequiredThe public key data, BASE64 encoded.
sOptionalA colon-separated list of types of services intended to be used with this key. 
tOptionalA colon-separated list of flags for this key. Supported values are y to indicate this is a testing key. And s to require strict domain validation (this key is not valid for subdomains).

The selector

Every DKIM record must have a unique identifier known as the selector. The selector is part of the address that is used to query the DKIM record in the DNS. A DKIM signature in the headers of an email will also contain this selector, so the receiver knows where to query the DKIM DNS record.

Since the selector is used as the DNS name of the DKIM record, it can contain only characters that are valid for a domain name. So a maximum of 255 characters containing letters, numbers and hyphens (-).

Spaces, dots, and underscores are not allowed. As with all DNS names, a selector is not case-sensitive.

Because the v=DKIM1 part in the DKIM record is optional (unlike, for example, the version indicator in a DMARC record), there is no way for a validator to distinguish a DKIM record from any other TXT type DNS record. It is therefore required that a DNS query on the selector address yields no more than one TXT record.

    • Related Articles

    • What is DKIM?

      DKIM stands for DomainKeys Identified Mail, which is an email authentication technique that generates a digital signature in the header of an email. This digital signature is added within the message or body of the email and is secured with ...
    • What Is DKIM?

      DKIM stands for Domain keys identified mail which is an email authentication technique that generates a digital signature in the header. This digital signature is added within the message or body of the email and is secured with encryption. DKIM ...
    • DKIM setup for office365

      Enabling DKIM for o365 In order to DKIM sign your custom domain emails, you will need to complete the following steps: Sign in to Office 365 using your admin account and choose Admin Once in the Admin center, expand Admin centers and choose Exchange. ...
    • Difference Between DomainKey And DKIM

      DomainKeys Identified Mail (DKIM) is the successor of Yahoo DomainKeys. Both DomainKey and DKIM have similarities, however, DKIM has an additional aspect of Cisco’s Identified Internet Mail standard (IIM). The enhancement of this standard gives more ...
    • What is the difference between DKIM results and DKIM?

      DKIM (DomainKeys Identified Mail) is an email authentication method which makes sure your messages aren’t altered during the transaction between the sending and recipient servers. Typically, DKIM provides a key and signature that makes a user ...