DKIM is an email authentication standard that leverages public/private key cryptography to sign email messages. DKIM records help you check if an incoming email was indeed sent from the domain with which the DKIM key is associated. As a result, a DKIM record enables you to see if an email has been manipulated in transit and whether it’s safe to open.
DKIM exists in your DNS as a TXT (Text) or CNAME (Canonical Name) DNS record. Whether you should use TXT or CNAME depends on a number of factors, explored below.
Key Takeaways
- DKIM is an email authentication standard designed to identify forged email sender addresses.
- DKIM records are always TXT records. However, some providers use CNAME delegation to point your domain to a TXT record hosted on their servers.
- Each of these methods has its own set of advantages and limitations.
- Whether you should choose one or the other depends on what you prioritize: control and security or ease and convenience.
- Common pitfalls include wrong selector format, mixing TXT/CNAME for the same selector, and TTL delays during key rotation.
Understanding DKIM Record Publishing
Let’s walk through what a DKIM record consists of.
What’s in a DKIM Record?
A DKIM record involves a selector, public key, and algorithm. You can generate your DKIM record with PowerDMARC’s online tool.
DKIM Selectors
DKIM selectors allow the recipient’s email server to locate and verify the sender’s public key. It helps identify which DKIM public key to use for verification among multiple ones. You can find it in the DKIM-Signature header of each signed email. It’s the “s=” parameter.
Public Key
The DKIM public key is published in your domain’s DNS as a TXT record (or sometimes a CNAME pointing to your provider’s key). It is used by receiving servers to verify the hash of the message created using the sender’s private key, ensuring email integrity and authenticity.
The key, provided by the organization that sends your email, will be inserted straight into your DNS zone as a TXT record. Alternatively, it will be a CNAME that will point to the key in your provider’s DNS.
Algorithm
The algorithm used for hashing is defined in the a= tag of the DKIM-Signature header (not the DNS record). Supported DKIM signature algorithms are:
- rsa-sha256 (recommended and most common)
- rsa-sha1 (deprecated due to weaker security)
DNS Location & Syntax
The DKIM record is a TXT record containing several tag-value pairs, typically separated by semicolons:
v=DKIM1; k=rsa; p=PUBLIC_KEY
- v=DKIM1 specifies the DKIM version.
- k=rsa, where “k” refers to the key type (RSA is the only one currently supported)
- p=PUBLIC_KEY The actual public key used to verify the signature
Here is an example: selector._domainkey.example.com
Here, “selector” is a unique identifier for the DKIM key, and example.com is your domain.
Method 1 – DKIM as a TXT Record
With this method, your DKIM public key is published as a DNS TXT record at the location selector._domainkey.example.com. Outgoing mail is signed with the private key, and receiving servers use the public key in your DNS to verify the signature.
Pros
- Total control: Using DKIM as a TXT record gives you full control over your DKIM keys and DNS.
- No third-party dependency: You won’t need to rely on third-party providers when using this method. It will give you an enhanced sense of privacy and security as you are the owner of your data.
Cons
- Manual key rotation: You’re responsible for updating keys yourself, which can be tricky for non-technical users.
- Higher misconfiguration risk: DIY setup increases chances of errors that may weaken email security. Use our free DKIM checker to avoid mistakes.
Method 2 – DKIM via CNAME Delegation
This method functions quite differently from the first one. Instead of publishing your DKIM public key directly, you create a CNAME record at selector._domainkey.example.com that points to your email service provider’s (ESP’s) DKIM record.
Once a receiving server looks up your DKIM key, the DNS query follows the CNAME to the ESP’s DNS. This is where the actual TXT record with the public key is hosted. Major providers like SendGrid, Mailchimp, and Amazon SES use this.
Pros
- Automatic key rotation: This method does not require manual updates, and the key rotation is done automatically.
- Easy setup: This method is more suitable for beginners or managing multiple domains. It allows seamless ongoing management without the heavy lifting.
Cons
- Less visibility: Easier setup comes at the cost of limited control and insight into your DKIM keys and DNS.
- CNAME restrictions: Deeply nested or chained CNAMEs can hit DNS resolution limits or cause performance issues. Some providers require specific formats or don’t support CNAME delegation, which can break DKIM if not followed.
TXT vs. CNAME – Which Should You Use?
When deciding whether to use DKIM in TXT vs. CNAME, here is some general advice you should follow.
Use TXT If…
- You self-host your email and have technical expertise
- You want full control over DKIM and DNS.
- You prefer to manage and rotate keys yourself.
Note: In some cases, your provider might require direct TXT entry, making this method non-optional.
Use CNAME If…
- You use an ESP like Mailchimp, SES, or SendGrid.
- You prefer automated DKIM management.
- You lack the time or technical expertise for manual setup.
Mixing TXT/CNAME for the same selector
DNS does not permit having both a TXT and a CNAME record at the same domain name (i.e., the same DKIM selector). Use only one record type (TXT or CNAME) per selector. Choose TXT for manual control or CNAME if delegating to an ESP.
Real-World Examples
If you’re looking for examples of DKIM in TXT vs. CNAME, here is one for each, with a concise description.
DKIM TXT Example
google._domainkey.example.com. IN TXT “v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG…”
This record directly stores the DKIM public key in your DNS under the specified selector and domain.
DKIM CNAME Example
em1234._domainkey.example.com. IN CNAME em1234.example.dkim.emailsvc.com.
This record delegates the DKIM key lookup to a third-party provider by pointing to their hosted DKIM record.
Summing Up
The choice of DKIM in TXT vs. CNAME might seem like a tough one. Both methods work fine, and both are commonly used, so the decision is most often up to you. Your choice will often depend on whether you prioritize full, direct control over convenience, or vice versa.
Whatever your ultimate choice is, always audit the current DKIM setup for compliance. This can help you prevent security gaps and ensure the highest level of safety for your communications!
