DKIM Record Syntax
by
Last Updated: 4 min read
DKIM is a mechanism to verify the source of a message. It uses public-key cryptography to sign the contents of your email so that anyone who receives it can check whether it has been tampered with in transit. The DKIM record syntax of your TXT record Name is selector._domainkey.example.com. In our example, the selector is the DKIM-signer, which means that we’re signing for the domain example.com.
Key Takeaways
- DKIM uses public-key cryptography to verify the source and integrity of email messages.
- A DKIM record is an entry in DNS that specifies how emails from your domain are authenticated.
- The DKIM signing process includes a digital signature in the email header that helps verify its authenticity.
- Understanding the components of a DKIM record, such as the record name, type, and value, is essential for proper configuration.
- Using DKIM alongside DMARC provides an additional layer of security against email spoofing and phishing attacks.
What is a DNS DKIM Record?
A DKIM record is an entry in your DNS (Domain Name System) that tells other mail systems how you want your mail to be authenticated. It includes information like your record name, how long you want the record to live, and what key you want to use.
If a sender wants to send you an email message with DKIM authentication, they will generate an encrypted hash of their message. They then include this cryptic code as part of the header when they send it out so recipients can verify whether or not the message has been tampered with since it left the sender’s server.
Simplify DKIM Record Syntax with PowerDMARC!
How does DKIM authenticate emails?
DKIM uses public key cryptography to digitally sign each outgoing email message with its own private key, which is then verified by the receiving server with its public key. The signing process adds a DKIM Signature header field to your email headers which includes information about the email’s source and destination domains, along with a hash of the original message body together with some other details about how it was encrypted and signed.
The receiving server then decodes this information using its public key and compares it against any signatures it has cached for those domains in order to verify whether or not they match up.
Breaking down the DKIM Record Syntax
Let’s first take the example of a DKIM record:
| Record Name | Type | TTL | Record Value |
| selector._domainkey.example.com | TXT | 3600 | v=DKIM1;p=QUFBQUIzTnphQzF5YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQrMmhNNktxdjhYdEFJRXBpNjFFTEVXMVB0UmpSbkMrTm1FcFhvNUhuR1FPZFRXTGhYUFZVN0d5VWRUYUFVQ01pWEtrUDJHVXFVbHRQRXdvZU5QQVVQU09xQTg2Z1c3Q3o5dEh3czBTalp3alllMUxNWWxHVEQ3SjhJQnpCS2dVMmp5ZFJvVGEzbEp1N1l3czZiU1BMclFoN24wUT09IA== |
Record Name: The Name field in your DKIM record syntax is made up of two parts: a DKIM selector and a domain. The selector is a unique string that identifies the sending domain and helps locate the public key published on the domain’s DNS during a DKIM lookup, and it must be unique across all DKIM signing domains. The domain is the address of your DNS record.
Record Type: This field refers to the resource type of your DKIM record syntax. It may be TXT
(text) record, it can also be a CNAME (canonical name) record depending on your provider.
TTL: The time-to-live for your record, measured in seconds, is the amount of time the record remains valid per session before it expires or gets refreshed.
Value: Finally, the DKIM value is your public key that is matched against your private key (the signature key in your email header) to authenticate your emails.
DKIM Email Header Debunked
v=DKIM1; a=rsa-sha256;
d=example.com; s=s1;
h=from:to:subject;
bh=YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQ=; b=AptMld5a1djOUJva1hKWjBkYys5MW5FVXNYRUNvSXJZK0pSdGhVaDRDekNjZ2dEQWJ6RFl1QmVWNkgvN3l1M3drdVllSjVjK0gKSHdKQUtzSk1NNDNBZzdLUERXNFZ0K0lqa3pXWStKck56b3UvalFQbGk1M3MxVTF2c0krOElFSW80ci9xM3ZHd3crc2xOdmRjCkc5L1hnZWlvajJMaktJaHN5QT09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
| DKIM tag | Description |
| v | The version of DKIM in use. The value is always 1, which is the latest version in use. |
| d | The domain name of the email sender |
| h | the email headers used to formulate the DKIM signature (Mail from: Mail to: and Subject headers) |
| bh | The DKIM body hash value (bh= tag) is the actual value of the body hash, which is computed from the body of the message. This value is then stored in a specially formatted header within the message that has been signed by DKIM. The body hash value is used to prove that the message has not been altered since it was signed by DKIM. |
| b | Your DKIM digital signature that contains your DKIM private key. |
A DKIM signature is a digital signature (b= tag) that can be used to verify the authenticity of an email message, as well as its content.
How to create a DKIM record with the correct DKIM record syntax?
To make sure you’re creating a record with the correct DKIM record syntax, you can generate a free record using our DKIM record generator tool.
Enter your selector of choice and domain name, and hit the generate button to create your custom DKIM private and public key pair.
Note that to protect your organization against phishing and spoofing attacks, you need to configure a DMARC analyzer along with DKIM. DMARC helps you align your domains against email authentication protocols and instruct email receivers how to handle bad email!
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
