Email authentication helps reduce spam and email spoofing while enhancing the email deliverability of legitimate users. To protect your online privacy and security, multiple email authentication protocols and technologies work in tandem to provide the maximum possible security.
There are three main email authentication technologies in use today: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC). While they are optional configurations for your mail servers, configuring them correctly will allow you to automatically filter out the spam and malicious emails from your inbox, or your organization’s inbox, and either reject them or send them to the junk/spam folder.
This post focuses on DKIM, what it is, how it works, how to set up DKIM records, and how it can benefit you. By the end of this guide, you should be able to distinguish between the 3 authentication methods and what each of their functions are.
Table of Contents
What is DomainKeys Identified Mail (DKIM)
DKIM is an email authentication method that ensures that an email came from a legitimate source and not an impersonator. It uses cryptography to include an encrypted digital signature within an email, which is then carried to the receiving email server, which then decrypts the signature and verifies that the email is legitimate.
DKIM uses a combination of a private and a public key to encrypt and decrypt the digital signature. These are generated by the email service provider, and the public key is shared with the domain owner to be placed in the DKIM DNS record.
The public key is stored in the DNS records as a TXT file. Similar to SPF records, the DKIM records also have a unique syntax, signifying that it is, in fact, a DKIM record. Not only that, but it also has a specific name for the TXT file. We have discussed these in detail below.
Learn the key differences between SPF, DKIM, and DMARC.
Moreover, the private key is used by the sending mail servers to encrypt the digital signature. A private key cannot be used to decrypt a digital signature, the same way a public key cannot be used to encrypt a digital signature.
The concept of DKIM can be better understood with this example: A hacker could potentially change the headers of an email and send me an email impersonating my boss. Let’s say that I received an email from “boss@itechtics.org” asking for some sensitive information. Since the domain associated with the email address is “itechtics.org“, I would think of this as a legitimate email and reply with the required information.
However, with DKIM in place, the receiving mail server would check the email header for the digital signature, decrypt it, and determine whether the DKIM check is a PASS or a FAIL. It would then accordingly reject the email, or send it to the spam folder.
How DKIM works
Note that there are two parts to the DKIM technology:
- The DKIM record, which is a TXT record stored on the DNS server, and
- the DKIM header, which is attached to the incoming emails from the domain.
Note that the DKIM header serves a different purpose than the DKIM record, and we have discussed the DKIM header down below.
As for the DKIM records; here is how they work. When a mail server sends out an email from a specific domain, it adds an encrypted digital signature associated with that particular domain into the DKIM header of the email. When the receiving mail server receives this email, it checks the DNS record for the domain found inside the header.
If it finds that a DKIM DNS record exists, it will use the public key in the DKIM record to decrypt the digital signature and verify it.
Note: A DNS record can contain more than one DKIM record. When a DKIM record lookup is performed by a mail server, at least one DKIM key should match for a valid authentication.
This verification method also ensures that the email has not been manipulated in transit. If the received email’s header or body has been changed, it will not be verified, and the DKIM check will FAIL.
That said, it is understood that DKIM operates on the header and body of the email, which is RFC 5322, unlike SPF, which operates on the SMTP envelope.
What is a DKIM Record
A DKIM record is a TXT file stored on the DNS server. It contains the public key for a domain, which is to be used to verify the legitimacy of an email by decrypting its digital signature.
Note: Some domains save the DKIM records as CNAME records that point to the key instead. However, these are not the official RFC requirements.
As mentioned earlier, the DKIM record needs to have a specific syntax along with a very specific name. Therefore, a DKIM record will look something like this:
| Name | TTL | Type | Value |
| selector._domainkey.domain.com | 7200 | TXT | v=DKIM1; k=rsa; p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE40658267AB2FC3CB6CBE |
TTL, or Time To Live, defines how long this record should be considered valid before it needs to be refreshed, which is written in seconds. The type defines the type of the DNS record.
Focusing on the name of the record; The “._domainkey.” remains constant. This means that regardless of your domain name, this portion of the DKIM record will remain the same.
However the “selector” is variable, and is a specialized value issued by the email service provider used by the domain. It is also included in the DKIM header to enable an email server to perform the required DKIM lookup in the DNS. Moreover, “domain.com” is also a variable and will be the email domain name.
For example, in my case, if my selector is “defaultselector”, then the name of the DKIM record will be “defaultselector._domainkey.itechtics.com“.
Now, the value of the DKIM DNS record has a few arguments, each defining a different element. Here is what each of these means:
- v: Defines the DKIM version. Normally, “DKIM1” is used, since it is the only valid version at the moment.
- k: Defines the key type (encryption type).
- p: Defines the public key
Note that these are not the only tags you can include. While “v” and “p” are mandatory, “k” is optional, along with many other tags that are optional:
- g: Defines the granularity of the public key. The value must match the local-part of the “i=” flag in the DKIM signature field or contain a wildcard asterisk (*). The use of this flag is intended to constrain which signing address can use the selector record.
- h: Defines which hash algorithms are acceptable.
- n: Used to define a note for the administrators
- s: Defines the service type to which this record applies.
When defining a DKIM DNS record, you must ensure that you follow the same syntax for the value and the name of the DKIM record.
The DKIM record is only one part of the equation. It still needs to examine something to verify the authenticity of an email, which is the DKIM header.
What is a DKIM Header
A DKIM header is a part of the many headers in an email. When you receive an email, it has a hidden header, which contains the metadata for the email. DKIM header is created by the sending mail server utilizing the original email header, the hash of the email body, and the private key used for digital signature encryption. This encrypted digital signature is then attached as a part of the DKIM header.
Some email providers let you see the email headers. For example, if you are using Gmail, you can view an email’s header by clicking on the 3 dots, and then clicking “Show original“. Performing this will show you something like the following, where I have highlighted the DKIM header portion:
As you can see, the DKIM header contains different tags than a DKIM record. Here is what the different tags in a DKIM header mean:
| Tag | Condition | Definition |
| v | Mandatory | Defines the DKIM version in use |
| a | Mandatory | Signing algorithm |
| d | Mandatory | Domain name of the sender |
| s | Mandatory | Defines the selector |
| h | Mandatory | Lists the header fields that are used to create the digital signature |
| bh | Mandatory | Hash of the email body |
| b | Mandatory | is the digital signature, generated from h and bh and signed with the private key |
| c | Optional | Defines the canonicalization algorithm for header and body |
| q | Optional | Defines the default query method |
| i | Optional | Agent/User identifier |
| t | Optional | Timestamp of the signature |
| x | Optional | Defines the expiration time |
| l | Optional | Body length |
| z | Optional | Copy of selected header fields and values |
With this information, you should now know how DKIM headers and DKIM records work together to authenticate emails.
How to set up DKIM DNS Records to authorize emails
When setting up a DKIM record for your domain, you need the following things:
- Public key
- Private key
- Selector
If you are using an email service provider, then they should provide these variables. However, if you are setting up an email server yourself, then you can use various tools available online to generate public and private keys, such as the following:
- DKIM Core (assigns selector automatically)
- DKIM Generation Wizard by SocketLabs (allows you to assign a selector and generate 1024 and 2048-bit key pairs)
- DKIM Wizard by SparkPost (allows you to assign a selector and generate 1024 and 2048-bit key pairs)
- DKIM Record Generator by Easy DMARC (allows you to assign a selector and lookup DKIM)
- DKIM Wizard by Unlock The Inbox (allows you to assign a selector and generate 512, 768, 1024, and 2048-bit key pairs)
For the selector, you can pick any random name of your choice, if you haven’t already been assigned one using one of the tools given above.
Once you have this information, use the following steps to set up a DKIM DNS record:
Note: Each DNS server might have different configurations and settings. However, the same logic and syntax apply.
-
Start by logging into your DNS server and navigate to the zone management portal.
-
Click “Add Record” and then click “Add TXT Record“.
Add a new TXT record -
Enter the name for the DKIM record using the selector and your domain name, such as this:
[selector]._domainkey.[domain.com]
Set a name for DKIM record -
Now use the following syntax while replacing the variables and paste it in the Record field:
v=DKIM1; k=[EncryptionType]; p=[PublicKey]
Set up DKIM public key for DKIM lookup -
[Optional] If you want to use this server as an outgoing email server, click “Add TXT string to record” and also add the private encryption key.
Add private key for digital signature encryption for DKIM -
[Optional] You may adjust the Time To Live (TTL) value, which is actually how long the record will be cached for.
-
When done, click Save Record.
After performing the steps above, wait a while so the new DNS records can propagate across the internet. This can take anywhere between a few minutes to a day.
How to check DKIM DNS Record
As mentioned earlier, the public key available inside a DKIM record is accessible to everyone. There are many tools available online that will look up the DNS records and fetch the information for particular domains, including the DKIM records.
You can use our Email Validation Tool to check a domain’s DKIM records, amongst other information, such as SPF records, DMARC records, and MX records.
Conclusion
Like SPF, DKIM records can only validate and check the authenticity of an email, but cannot make a decision based on the result. This is where DMARC comes in.
DMARC is responsible for handling the emails based on the SPF and DKIM results. This has been discussed further in the article dedicated to DMARC.
That said, DKIM makes sure that you receive emails from only authentic sources, while all hoaxes and fake emails are filtered out to protect your device, your data, and your network from unwanted access and cyber-attacks.
