DKIM record syntax

DKIM is a mechanism to verify the source of a message. It uses public-key cryptography to sign the contents of your email so that anyone who receives it can check whether it has been tampered with in transit. The DKIM record syntax of your TXT record Name is selector._domainkey.example.com. In our example, the selector is the DKIM-signer, which means that we’re signing for the domain example.com.

What is a DNS DKIM Record? 

A DKIM record is an entry in your DNS (Domain Name System) that tells other mail systems how you want your mail to be authenticated. It includes information like your record name, how long you want the record to live, and what key you want to use. 

If a sender wants to send you an email message with DKIM authentication, they will generate an encrypted hash of their message. They then include this cryptic code as part of the header when they send it out so recipients can verify whether or not the message has been tampered with since it left the sender’s server.

How does DKIM authenticate emails? 

DKIM uses public key cryptography to digitally sign each outgoing email message with its own private key, which is then verified by the receiving server with its public key. The signing process adds a DKIM Signature header field to your email headers which includes information about the email’s source and destination domains, along with a hash of the original message body together with some other details about how it was encrypted and signed.

The receiving server then decodes this information using its public key and compares it against any signatures it has cached for those domains in order to verify whether or not they match up. 

Breaking down the DKIM Record Syntax

Let’s first take the example of a DKIM record: 

Record Name Type  TTL Record Value
selector._domainkey.example.com TXT 3600 v=DKIM1;p=QUFBQUIzTnphQzF5YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQrMmhNNktxdjhYdEFJRXBpNjFFTEVXMVB0UmpSbkMrTm1FcFhvNUhuR1FPZFRXTGhYUFZVN0d5VWRUYUFVQ01pWEtrUDJHVXFVbHRQRXdvZU5QQVVQU09xQTg2Z1c3Q3o5dEh3czBTalp3alllMUxNWWxHVEQ3SjhJQnpCS2dVMmp5ZFJvVGEzbEp1N1l3czZiU1BMclFoN24wUT09IA==

Record Name: The Name field in your DKIM record syntax is made up of two parts: a DKIM selector and a domain. The selector is a unique string that identifies the sending domain and helps locate the public key published on the domain’s DNS during a DKIM lookup, and it must be unique across all DKIM signing domains. The domain is the address of your DNS record.

Record Type: This field refers to the resource type of your DKIM record syntax. It may be TXT
(text) record, it can also be a CNAME (canonical name) record depending on your provider. 

TTL: The time-to-live for your record, measured in seconds, is the amount of time the record remains valid per session before it expires or gets refreshed. 

Value: Finally, the DKIM value is your public key that is matched against your private key (the signature key in your email header) to authenticate your emails. 

DKIM Email Header Debunked 

v=DKIM1; a=rsa-sha256; 

      d=example.com; s=s1;

      h=from:to:subject;

      bh=YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQ=; b=AptMld5a1djOUJva1hKWjBkYys5MW5FVXNYRUNvSXJZK0pSdGhVaDRDekNjZ2dEQWJ6RFl1QmVWNkgvN3l1M3drdVllSjVjK0gKSHdKQUtzSk1NNDNBZzdLUERXNFZ0K0lqa3pXWStKck56b3UvalFQbGk1M3MxVTF2c0krOElFSW80ci9xM3ZHd3crc2xOdmRjCkc5L1hnZWlvajJMaktJaHN5QT09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

DKIM tag Description
v The version of DKIM in use. The value is always 1, which is the latest version in use.
d The domain name of the email sender
h the email headers used to formulate the DKIM signature (Mail from: Mail to: and Subject headers)
bh The DKIM body hash value (bh= tag) is the actual value of the body hash, which is computed from the body of the message. This value is then stored in a specially formatted header within the message that has been signed by DKIM. The body hash value is used to prove that the message has not been altered since it was signed by DKIM.
b Your DKIM digital signature that contains your DKIM private key.

A DKIM signature is a digital signature (b= tag) that can be used to verify the authenticity of an email message, as well as its content.

How to create a DKIM record with the correct DKIM record syntax?

To make sure you’re creating a record with the correct DKIM record syntax, you can generate a free record using our DKIM record generator tool. 

Enter your selector of choice and domain name, and hit the generate button to create your custom DKIM private and public key pair.

Note that to protect your organization against phishing and spoofing attacks, you need to configure a DMARC analyzer along with DKIM. DMARC helps you align your domains against email authentication protocols and instruct email receivers how to handle bad email!