In this article we explain:
- What is a DKIM Record?
- How do I create a DKIM record for a domain?
- How do I add a DKIM record?
- How can I test my DKIM record?
- Can I have multiple DKIM records?
What is a DKIM Record?
Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment and exists in the DNS record of the domain, but it is a bit more complicated than SPF.
DKIM gives emails a signature header that is added to the email and secured with a public/private key pair and a certificate. This DKIM signing acts like a watermark for email so that email receivers can verify that the email actually came from the domain it says it does and hasn’t been tampered with.
Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, which is called the “public key.” The public key exists in the DKIM record in your domain’s DNS as a text file.
In order to connect and decipher these encrypted signatures, a DKIM selector is used. More information about DKIM selectors, and discovering which ones your domain uses, can be found here.
How do I create a DKIM record for a domain?
1 – Create a list of all domains and sending services (such as marketing campaign platforms or invoice generators, also referred to as ESPs) that are authorized to send email on your behalf. Contact them and request DKIM to be configured and that you need a copy of the public key.
2 – Generate the key pairs. Here are a few options:
- If your organization has its own email server, it may have native DKIM functionality. Check the available documentation for the public/private key generation and policy record creation (or check in with your IT staff who are responsible for the server).
- There are third-party tools available to generate the DKIM record. Note: check with your organization’s security policy prior to utilizing third-party tools.
- To create the keys without a third party, an open-source project called opendkim is available.
- DKIM keys also can be generated via openssl.
How do I add a DKIM record?
1 – Publish your public key to your DNS record as a text (TXT) record. Check with your DNS provider to see if they allow more than 255 characters in the input field or not, as you may have to work with your provider to increase the size or to create the TXT record itself.
2 – Save the private key to your SMTP server / MTA (mail transfer agent).
How can I test my DKIM record?
Can I have multiple DKIM records?
A domain can have as many DKIM records for public keys as servers that send mail. Just make sure that they use different selector names.
Read about the importance of rotating your DKIM keys and automating that process here.