DKIM record: how to create, add and check DKIM records?
DKIM (DomainKeys Identified Mail) is a domain-based digital signature authentication technology that validates and certifies the message content and headers using an asymmetric key signature. DKIM confirms that the message was signed by a particular entity and hasn’t been tampered with. That is, verifying the responsible organization as well as the integrity of the email message. Thanks to it, mail providers (Google, Verizon, Microsoft, etc.) can check that the message came from your actual domain. DKIM signature is a TXT record that you need to add to the domain’s DNS zone settings.
Email clients that successfully pass the DKIM check are more loyal to emails than to those that fail. At the same time, e-mail messages that do not contain DKIM headers are processed in standard mode. The principle of operation DKIM is based on standard asynchronous encryption.
Key components of DKIM:
- A pair (or several pairs) of private and public encryption keys are generated for each server. The private key is placed on the sender’s server and used to generate the appropriate DKIM headers for all outgoing client mail.
- The public key is placed by the domain owner in his DNS zone file in the form of a special TXT record, and it becomes available to everyone. The public key received from the DNS server is used to verify the authenticity of the message sender.
A correctly composed DKIM signature confirms that the letter was sent from the specified domain. DKIM is a powerful tool for building a reputation for domains based on the multitude of emails received over time (which is actively used by various anti-spam solutions, as well as members of the DKIM reputation project).
The use of DKIM provides another sign by which the user can decide whether to trust the sender of the letter or not.
How to use DKIM?
DKIM is used in combination with other email reputation analysis technologies. While most modern email and email services already support DKIM validation, it is useful to ensure that DKIM is configured correctly when using your domain or setting up your own mail server.
How to create a DKIM record for a domain?
First, create a list of all domains and sending services that are authorized to send emails on your behalf.
If you’re using ESPs (Email Service Providers) such as Google, Microsoft 365 and Third-Party services such as MailChimp, Sendgrid, etc. then you need to achieve DKIM implementation from the given services’ admin portals. Thus, these services store their DKIM Private Key in their servers. And provide DKIM Public Record to be stored in their users’ DNS Zones.
EasyDMARC has an in-built feature called Identified Email Sources. We identify more than 1,000 Email Sources. And give recommendations towards SPF & DKIM implementation process by redirecting to that source’s official documentation.
DMARC Aggregate dashboard where you can see your outgoing mail stream from various sources (AmazonSES, Mandrill, etc.) that your organization uses
AmazonSES SPF & DKIM Configuration steps, by redirecting to their Official docs
If your organization has its own email server, it may have native DKIM functionality. Check the available documentation for the public/private key generation and policy record creation.
There are third-party tools available to generate the DKIM record. You can use EasyDMARC DKIM record generator.
Can I have multiple DKIM TXT records in a single domain?
A domain can have as many DKIM records for public keys as servers that send mail. Simply use different selector names.
DKIM selectors are part of DKIM Records, which allows the possibility of adding multiple DKIM Records in the given DNS Zone.
For example, if your organization uses Google Workspace & Sendgrid for the outgoing mail stream/strategies, then multiple DKIM Records can be added with different selectors,
s1._domainkey.company.com IN TXT v=DKIM1; p=[Public Key] (where s1 is the selector for Sendgrid)
google._domainkey.company.com IN TXT v=DKIM1; p=[Public Key] (where google is the selector for Google Workspace)
How can I check my DKIM record?
Use our DKIM Record Lookup – a free tool for testing DKIM settings if you have already implemented DKIM for your domain. Therefore, our free tool will help to lookup and validate your DKIM record.
Input your selector name, and your domain to retrieve the published DKIM Key Record.
Also, check our articles about DKIM:
How to explain DKIM in plain English?
What is a DKIM selector and how does it work?
What You Need To Know About DKIM (DomainKeys Identified Mail)
Email forwarding and DMARC DKIM SPF