What is a DKIM record and why is it important?

An effective way to ensure your emails are not tampered with while on their way to get delivered – is through authentication. Domain-based authentication methods and protocols are significantly effective against email-based cyber attacks, while also helping improve the deliverability of your legitimate emails. DKIM is one such protocol.

It’s based on public key cryptography, and it works by adding a digital signature to the message header. When the receiver gets an email with DKIM, they check the digital signature to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication protocol that allows senders to prevent email content from being altered during the delivery process.

It’s based on public key cryptography, and it works by adding a digital signature to the message header. When the receiver gets an email with DKIM, they check the digital signature to make sure it is valid. If it is, then they know the message has remained unaltered during the transfer.

What is a DKIM Header?

A DKIM header is a part of an email that contains the cryptographic DKIM signature. This signature is added by the sender’s mail server. During the authentication process, the signature field in the DKIM header helps verify the authenticity of outbound messages. It helps receivers confirm that the email is genuine and comes from a legitimate sender.

What are DKIM Keys?

DKIM keys are cryptographic private and public key pairs used in DKIM authentication.

• Public Key: The DKIM public key is stored in the sender’s DNS and is used by receiving mail servers to verify DKIM signatures.
• Private Key: The DKIM private key is stored in the sender’s mail server and is appended to each outgoing message as a part of the DKIM header.

How Does DKIM Work?

During the DKIM authentication process, the sender’s domain generates a pair of cryptographic keys, and when an email is sent, the sending server adds a DKIM signature to the message header using the private key.

The sender’s domain publishes the public key in a DNS record. Upon receiving the email, the recipient’s server retrieves the DKIM signature, queries the DNS for the public key, and verifies the signature’s integrity by comparing it to a computed hash of the email’s headers and body. If the signature is valid, the email is considered authentic and unaltered, protecting against forgery and tampering.

How Do I Know DKIM is Working?

To verify that DKIM is indeed working for your domain, you can check your DKIM configuration using our free DKIM checker tool

What is a DKIM record?

A DKIM record is a set of machine-level instructions that are added to your DNS settings, and it tells the internet that the messages are coming from an authenticated source, allowing mail servers to verify that a message has not been altered en route to its destination.

DKIM signature

A DKIM signature is a cryptographic signature added to the header of an email message that verifies its authenticity and ensures it has not been tampered with during transit.

DKIM selector

DKIM selector is a unique identifier for a DKIM signing domain. An alphanumeric string value that is defined in the s= tag in your DKIM email header, the selector should be distinguishable and different for every email vendor you use.

For example, in the DKIM record s1._domainkey.domain.com, s1 is your selector.

DKIM Record Example

v=DKIM1;
k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…

What are the Benefits of DKIM

Businesses need DKIM to authenticate their outgoing emails and ensure their legitimacy. DKIM plays a pivotal role in bypassing MITM attacks and unwarranted changes made to email content by third parties.

DKIM prevents message alterations

When you ask yourself, what is DKIM doing to prevent email fraud, get this: the digital signature is a failsafe that cannot be decrypted if the email has been intercepted and altered, so the email gets rejected.

DKIM minimizes domain spoofing

An email sent by an attacker through your domain won’t have your private signature on it, and it will fail to authenticate, which is yet another insight into what is DKIM protecting your organization against.

View the latest email fraud statistics here.

DKIM reduces email spam

What is DKIM popularly known for is a reduction in spam emails. Configuring DKIM will greatly reduce the chances of your email ending up in the spam folder, especially with an email marketing campaign.

DKIM boosts email deliverability

Moreover, when you set up DKIM, it improves your reputation as a verified source in the eyes of customers, partners, and other services.

What are the limitations of DKIM?

DKIM is extremely important for message authentication, however, it is not perfect. Here are some of its limitations:

• DKIM doesn’t authenticate the sender of an email. It only authenticates the sender’s domain name. So if someone has access to your email account, they can send emails in your name even if you have DKIM enabled!
• DKIM requires public DNS records for verification. If your public DNS records aren’t set up correctly or if they don’t match what’s in your private DNS records (which is often the case for small businesses), this can lead to DKIM fail!
• DKIM doesn’t stop spam or phishing attempts on its own—it just makes them harder for bots to do successfully because they’ll need access to your private keys first before they can forge them correctly. Therefore pairing it up with DMARC is extremely essential.

Pairing up DKIM with DMARC

Pairing DKIM with DMARC is ideal for well-rounded protection while ensuring smooth email deliverability! If you use both of them, you’re more likely to avoid getting blacklisted by spam filters, which means your emails will get delivered to your recipients.

In addition, using both protocols helps protect your brand—spammers often try to spoof domains they think will be less likely to report them as spam. But if the domains they’re spoofing actually have DKIM set up, it’ll make it harder for them to get away with their trickery.

The beauty of pairing them up is that they work together seamlessly to provide multiple layers of protection against spoofing attempts while giving senders options on how they want their mail handled in case something goes wrong during the delivery process.

Enable DKIM with PowerDMARC

PowerDMARC empowers domain owners to set up DKIM along with hands-on monitoring, that helps them stay on top of errors at all times, ensuring deliverability, while actively combatting cyberattacks.

Our platform is easy to use for businesses of all sizes and can handle multiple domains and large volumes of email traffic. We provide an effective DKIM solution paired with several other essential email authentication protocols for 360-degree protection against email fraud.

Get your DKIM and DMARC setup in just minutes with PowerDMARC!

Frequently Asked Questions on DKIM

How to setup DKIM?

To set up DKIM, you need to generate a private key and a corresponding public key, on your mail server with a DKIM record generator. Then, configure your server to sign outgoing emails with the private key and publish the public key as a DNS TXT record for your domain.

How to check your DKIM record?

To check your DKIM record, you can use our free DKIM checker tool. Simply enter your domain name or the specific DKIM selector you want to check and it will report whether the DKIM record is properly set up or if any issues are detected.

What is different between SPF and DKIM?

While both are email authentication protocols, SPF focuses on authorizing the domain’s IP address, while DKIM focuses on verifying the email’s integrity and origin.

Can I use the same DKIM key for multiple domains?

No, you cannot use the same DKIM key for multiple domains. Each domain requires its own unique DKIM key pair. This ensures that the DKIM signatures are domain-specific and maintains the security and integrity of email authentication for each individual domain.

Read more

Does Office 365 use DKIM?

Yes, Office 365 supports DKIM. You can configure DKIM signing for your Office 365 domain by generating the necessary DKIM keys and publishing the public key as a DNS TXT record for your domain.

Can I use DMARC without DKIM?

While DKIM is not a mandatory requirement for DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation, it is highly recommended.

Do I need DMARC if I have DKIM implemented?

While DKIM provides email authentication on its own, a DMARC analyzer adds an additional layer of control and reporting. While DKIM is not a prerequisite for DMARC, combining DKIM with DMARC yields better email security and visibility into email authentication practices.

What are DomainKeys Identified Mail issues?

There can be several issues surrounding your DKIM implementation. From errors with record configuration and syntax to expired DKIM keys, and improper alignment between headers – each of these problems may result in authentication failures and deliverability issues.

How long does it take to set up a DKIM record?

Simply setting up DKIM records for your domains can take anywhere between a few minutes to a few hours or as long as your DNS requires to propagate changes for the newly created record. Post setup, periodic monitoring is the recommended practice as long as you have implemented the protocol.

What happens when the DKIM fails?

On an occasion when DKIM fails for your email, it may get flagged as spam or suspicious on the receiver’s side. Depending on your DMARC policy, the mail may even get rejected. Implementing SPF as a fall-back mechanism can be a good option when you are using DKIM with DMARC.

Do I Need SPF and DKIM?

SPF and DKIM are mutually exclusive protocols that can be used separately on their own to authenticate your emails. Implementing SPF, DKIM, and DMARC together makes a power-packed trio that boosts your defenses against spoofing and email phishing attacks.