email

How to Create a DKIM Record

James Flower

2 min read
How to Create a DKIM Record

DomainKeys Identified Mail (DKIM) is a method of email authentication that validates email sent from a domain. DKIM adds a digital signature to important parts of outbound messages, ensuring that messages haven’t been altered in transit.

The addition of DKIM helps to reduce the risk posed by email spoofing and phishing attacks, as it allows outgoing email from a domain be verified as authentic.

What is a DKIM Record?

A DKIM record is a specially formatted DNS TXT record that contains the public key used by receiving email servers to verify a message’s signature. An example DNS TXT record for DKIM might look something like the example record below:

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwIDAQAB"

Let’s break down the components of a DKIM record:

  • Name (Selector): The selector is a unique identifier for the DKIM key pair associated with a domain. It’s typically provided by the email service provider.
  • Version: The version indicates the DKIM protocol version being used. Most implementations use version 1.
  • Key Type: The key type specifies the cryptographic algorithm used for signing. Common options include RSA and SHA-256.
  • Public Key: The public key itself is stored in the DKIM record. It’s used by recipient servers to verify the digital signature of emails from the sender’s domain.

Creating a DKIM Record

Your email service provider will usually publish information on the steps necessary to enable DKIM signing for your domain, including details of the necessary DKIM DNS records to be created.

As a general guide it typically involves the following steps:

  1. Getting the required DKIM key and name (selector) details from your email service provider.
  2. Creating the DKIM TXT DNS record for your domain with the appropriate selector and key details.
  3. Enabling DKIM signing with your email service provider so that emails are sent with a digital signature.

The specific steps vary for each email service provider, however, you can find guides on how to turn on DKIM for a Google Workspace and how to use DKIM with Microsoft 365.

After a DKIM record has been published and DKIM signing has been enabled with your email service provider, all emails sent from your domain will now be able to have their integrity verified.

Summary

DKIM provides an excellent mechanism for ensuring that emails sent from a domain are not modified by any relaying email servers. If an email is modified the recipient mail server may flag the message, or reject it entirely preventing it from being delivered to the recipient.