DKIM keys setup guide
March 19, 2024
...or all you need to know about DKIM records
Email remains a cornerstone of modern communication. With the rise in email spoofing, phishing, and cyberattacks, ensuring the authenticity of emails has become essential. DomainKeys Identified Mail (DKIM) is one of the key technologies designed to verify that emails are genuinely from the sender they claim to be and have not been altered in transit.
This article explores DKIM, how it works, why it’s essential for securing email communication, and best practices for implementing it securely.
What is DKIM and how does it work?
DKIM (DomainKeys Identified Mail) is a widely adopted email authentication method. It adds a digital signature to outgoing emails, allowing the recipient’s server to verify that the message was sent by the claimed domain and remains unaltered. This signature is created using cryptographic techniques, adding a layer of security that helps prevent email spoofing and protects the integrity of the message content.
A brief history of DKIM
DKIM originated from two projects: Yahoo's DomainKeys and Cisco's Identified Internet Mail. These efforts merged in 2004 to form DKIM, which was standardized by the Internet Engineering Task Force (IETF) in 2007. Since then, DKIM has become a standard email security practice, implemented by most major email service providers to mitigate the risk of spoofing and other email-borne threats.
How DKIM works: step-by-step
Here’s a breakdown of the DKIM process:
Digital signature creation. When an email is sent, the sending server uses the domain’s unique private key to create a digital signature. This signature is added to the email headers.
DNS public key. The domain's public key is stored in the DNS as a DKIM TXT record. This key is used by receiving servers to verify the signature. The DKIM record also includes a selector to specify which public key to use for validation.
Verification on receipt. The receiving email server queries the DNS for the sender’s DKIM public key. It uses this key to validate the email's digital signature and confirms that the email originated from the claimed domain and has not been modified.
Decision to trust. If the verification succeeds, the email is considered trustworthy and is delivered to the recipient’s inbox. If it fails, the email may be flagged as suspicious, depending on the recipient server’s policy.
Importance of DKIM key length and security best practices
DKIM’s effectiveness in preventing email spoofing relies on the strength of its cryptographic keys. Originally, DKIM keys with 512- and 1024-bit length were common, but in recent years, security experts have found this key length to be increasingly vulnerable to attacks, as it's private key can be recalculated.
The recommendation is to use 2048-bit DKIM keys, which provide a higher level of security and make it significantly harder for attackers to crack the key through brute force. Major email service providers and platforms recommend using 2048-bit keys for stronger security.
To implement this best practice:
Generate a 2048-bit key pair. When setting up DKIM, ensure that you generate a 2048-bit key pair instead of the default 1024-bit option.
Verify key length compatibility. Some older DNS providers may have issues with larger keys. Ensure your DNS provider supports 2048-bit DKIM keys.
Regularly rotate DKIM keys to maintain high security, rotate your DKIM keys periodically (e.g., every 6-12 months) and update your DNS records accordingly.
Understanding DKIM Records
A DKIM record is a DNS TXT record containing the public key used by receiving servers to authenticate your emails. Here are the key components of a DKIM record:
-
Selector
The "name" of the DKIM key used to locate the record in the DNS.
-
v=DKIM1
Specifies the DKIM version.
-
p=public_key
The actual public key, used to verify the email’s DKIM signature.
Having a DKIM record allows receiving servers to verify that messages sent from your domain are genuine and have not been tampered with.
Setting up a DKIM record for your domain
Setting up DKIM requires configuration of your DNS and email server. Here’s how to create and implement a DKIM record:
Generate a 2048-bit key pair. Create a DKIM key pair (public and private key) with 2048-bit length. Many email service providers, such as Google Workspace and Microsoft 365, offer tools to generate these keys.
Add the public key to DNS. Add the public key to your domain’s DNS as a TXT record. The record name should include the selector chosen when generating the keys.
Configure the private key. Set up your email server to use the private key to sign outgoing emails.
Test the setup. Use a DKIM checker tool to ensure that the DKIM signature is working correctly and that emails are successfully passing DKIM verification.
DKIM, SPF, and DMARC: A holistic approach to email security
While DKIM is essential, it works best alongside other email security protocols like SPF and DMARC:
Sender Policy Framework (SPF) Specifies which IP addresses are authorized to send emails for your domain, helping prevent spoofing.
Domain-based Message Authentication, Reporting & Conformance (DMARC) Establishes policies for handling emails that fail SPF or DKIM checks, adding reporting and enforcement capabilities.
Together, DKIM, SPF, and DMARC provide a comprehensive framework for email authentication, significantly reducing the risk of spoofing and phishing.
Why DKIM is important
DKIM is crucial for protecting both email senders and recipients. Here’s why it matters:
Prevents Email Spoofing by verifying that an email genuinely originates from the sender’s domain, DKIM helps prevent email spoofing, where attackers attempt to impersonate legitimate senders.
Enhances Deliverability - messages with a valid DKIM signature are more likely to reach the inbox instead of being flagged as spam. Email providers like Gmail and Yahoo incorporate DKIM into their spam filters.
Increases Domain Reputation - consistently sending DKIM-signed emails boosts domain reputation, positively impacting deliverability rates.
DKIM FAQs
Can a domain have multiple DKIM records?
Yes, a domain can have multiple DKIM records using different selectors, which is useful for managing multiple email service providers or during system migrations.
How is DKIM different from SPF?
SPF verifies the IP address of the sending server, while DKIM verifies the content integrity and authenticity of the email itself.
Does DKIM encrypt the email message?
No, DKIM does not encrypt the email message. It only adds a signature to verify the sender's identity and message integrity.
What happens if the DKIM signature fails?
If the DKIM signature fails verification, the email may be flagged as suspicious or routed to the spam folder, depending on the recipient’s email security policies.
Setup Help Scout SPF, DKIM, and DMARC Records for Domain Authentication
Authenticating and securing email communication is crucial for businesses to prevent spoofing and improve deliverability. There are three commonly used protocols to authenticate emails - SPF (Sender Policy Framework), DKIM (DomainKey Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance ).
Read more →How to Setup Google Workspace SPF, DKIM, DMARC Records - Email Authentication Tutorial
If you are tired of emails going to customers' spam folders, this article is for you. The inbox providers like Google and Yahoo only approve emails that pass their authentication check. Therefore, it is important to comply with the security standards to be trusted by inbox providers. SPF, DKIM, and DMARC are commonly used authentication standards to verify your domain. You can find these records in the Google Workspace Gmail settings. Follow the steps below to configure and add the Google Workspace verification records to the DNS provider.
Read more →How to authenticate domain with Zoho DMARC, DKIM and SPF?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is like a security stamp on your emails that tells email providers they're really from you and what to do if they're not.
Read more →Configure DNS records in Klaviyo for Email Authentication
Whether you want to launch a huge email campaign for your business, or just keep your subscribers informed of new updates, Klaviyo ensures a smooth and secure email communication. Within a few configuration steps, you can generate authentication keys and add to your domain provider for webmail authentication. From SPF and DKIM setup to DMARC implementation, we'll guide you through the step by step process of email authentication. Let's ensure your email campaigns land where they belong – in your customers' inboxes.
Read more →Configure SPF, DKIM, Return-path records in MailerSend
Friendly for users, hard on spammers - MailerSend has earned it's spot among top reliable email delivery platforms. Not only email delivery, MailerSend also provides domain authentication services. It generates DNS records that give your emails a unique signature, making it spam proof.
Read more →How to Configure HubSpot DMARC, DKIM, SPF Domain Authentication?
HubSpot, a leading CRM and marketing email service provider, allows you to authenticate your emails within a few steps. Simply connect your domain with HubSpot and it generates DNS records. By adding these records to your DNS provider, you can authentication your domain.
Read more →Adding DNS records for Mailchimp DMARC, DKIM and SPF
MailChimp, one of the trusted email delivery services, helps with email campaigns and authenticates your domain to minimize spoofing. Domain authentication is the number one strategy to avoid emails ending in the spam folder.
Read more →How to Configure SPF & DKIM Authentication in Rapidmail?
Rapidmail, a German Newsletter Software, allows you to add an extra layer of security to your newsletters to prevent spamming. It provides SPF and DKIM records for your sender domain so you can add these records to the DNS of your hosting server.
Read more →How to Achieve Mailjet DMARC Alignment with SPF & DKIM?
Authenticating and securing email communication is crucial for businesses to prevent spoofing and improve deliverability. There are two commonly used methods to authenticate emails - SPF (Sender Policy Framework) and DKIM (DomainKey Identified Mail). You can get the SPF/DKIM values from the email service provider and add them to the domain hosting server to authenticate your webmail.
Read more →Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.