DKIM Records: How to Create and Add to Your DNS
In this article we explain:
- What is a DKIM Record?
- How do I create a DKIM record?
- How do I add a DKIM record?
- How can I test my DKIM record?
- Can I have multiple DKIM records?
Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment and exists in the DNS record of the domain, but it is a bit more complicated than SPF.
DKIM gives emails a signature header that is added to the email and secured with a public/private key pair. This DKIM signing acts like a watermark for email so that email receivers can verify that the email actually came from the domain it says it does and hasn’t been tampered with.
Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, which is called the “public key.” The public key exists in the DKIM record in your domain’s DNS as a text file.
In order to connect and decipher these encrypted signatures, a DKIM selector is used. More information about DKIM selectors, and discovering which ones your domain uses, can be found here.
How do I create a DKIM record?
1 – Create a list of all domains and sending services (such as marketing campaign platforms or invoice generators, also referred to as ESPs) that are authorized to send email on your behalf. Contact them and request DKIM to be configured and that you need a copy of the public key.
2 – Generate the key pairs. Here are a few options:
- If your organization has its own email server, it may have native DKIM functionality. Check the available documentation for the public/private key generation and policy record creation (or check in with your IT staff who are responsible for the server).
- There are third-party tools available to generate the DKIM record. Note: check with your organization’s security policy prior to utilizing third-party tools.
- A simple way to generate a DKIM key pair is via a unix machine with OpenSSL installed. Begin with the following commands:
$ openssl genrsa -out rsa.private 1024 $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
The command results in two files, rsa.private and rsa.public. The rsa.private file contains your private key; the rsa.public file contains the corresponding public key.
How do I add a DKIM record?
1 – Publish your public key to your DNS record as a text (TXT) record. Check with your DNS provider to see if they allow more than 255 characters in the input field or not, as you may have to work with your provider to increase the size or to create the TXT record itself.
2 – Save the private key to your SMTP server / MTA (mail transfer agent).
How can I test my DKIM record?
Feel free to use our DKIM Inspector, a free diagnostic tool that you can use to test your DKIM settings if you’ve already started implementing DKIM for your domain(s). Our free DKIM Validator can help you verify that your DKIM record is correctly formatted.
Can I have multiple DKIM records?
A domain can have as many DKIM records for public keys as servers that send mail. Just make sure that they use different selector names.
Read about the importance of rotating your DKIM keys and automating that process here.
If you have any questions about DKIM records or deploying DMARC, don’t hesitate to contact us.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.