DKIM provides a method to validate a domain name identity associated with a message via cryptographic authentication (DKIM.org).
A DKIM (DomainKeys Identified Mail) record allows you to authenticate your domain and the authorised email senders permitted to send messages from it on your domain's mail server.
Enabling DKIM on your mail system and setting up a DKIM record allows you to sign outgoing email from your email addresses with mail identified by domain keys (DKIM).
Your domain can have multiple DKIM records without causing any issues, unlike SPF authentication.
DKIM (DomainKeys Identified Mail) should be considered as a method to verify that the email content is trustworthy and to guarantee its integrity: that is, that messages have not been intercepted during transit nor altered from the moment the message was sent by the initial sending mail server until its delivery to the recipient.
How DKIM works: This additional layer of reliability is achieved by implementing the standard public/private key signing process. In practice, the owners of the domain to be secured add a DNS entry with the DKIM public key which will be used by recipients to verify that the DKIM message signature is correct, while the sender side of the server signs messages with the corresponding private key.
To ensure delivery of your emails into your recipients' inboxes, configure custom DKIM authentication for your domain and also create a SPF record beforehand. Internet and mail service providers now use DKIM and SPF authentication to check incoming emails and identify spam or spoofed addresses. Emails that fail this authentication are more likely to end up in a spam (or junk mail) folder, or even be rejected and refused.
Some advice before you start:
-
DKIM.org provides the necessary information to understand and create a DKIM record. DKIM is an enhanced version of DomainKeys, Enhanced DomainKeys from Yahoo, which was merged with Identified Internet Mail from Cisco.
- Use a key length of at least 1024 bits. Ideally 2048 bits if your DNS host allows it. (BrandShelter supports 2048-bit keys)
- Always use a TXT type record to add your DKIM.
- The “t=y” declaration is intended for testing and must be removed before full DKIM implementation in production. Some mail providers may ignore the DKIM signature when it is in test mode.
- Rotate DKIM keys at least twice a year to reduce the risk of compromise.
Adding a DKIM entry to the zone file:
To add a DKIM entry to your domain's DNS configuration, create a new DNS record of type TXT or CNAME (depending on the instructions provided by your host):
- First, obtain the necessary information from your host or your network/server administrator: selector and public key.
- Click on "New resource record"
-
In the “Host” field, add the following value: selector._domainkey
After validation, you will get the following subdomain: selector._domainkey.yourdomain.com
Note:
• Please note selector corresponds to the selector associated with the generated public key (or token) and should be replaced by the selector provided by your host (for example '16523750' OR 'Default'); this public key will be used as the record value in the form:v=DKIM1; h=sha256; k=rsa; p=public_key
• yourdomain.com corresponds to the domain name you want to authenticate with its extension and should be replaced accordingly by your domain name on which you want to add the DKIM record
This information must be obtained from your host or your network/server administrator: selectors and public key.
Important:
DKIMs cannot be created on all servers. This will depend notably on the server configuration.
You can have multiple DKIM records on your domain without limit, unlike DMARC or SPF, as long as your DNS host allows it.
If you use multiple mail providers, it is preferable (necessary) to add a DKIM for each mail provider.
Use unique DKIM selectors to avoid conflicts with existing records.
You can contact us if you want more information and/or advice prior to setting up a DKIM on your domain managed by BrandShelter.
Defensive DKIM action:
The DKIM record value for a defensive action:
v=DKIM1; p=
This DKIM record indicates that no DKIM key exists for the domain.
*._domainkey.example.com 3600 TXT v=DKIM1; p=
Generating a test key for your DKIM record
DKIM Key / Token Generator: to be used only for TEST & VERIFICATION; it is recommended not to use it for PRODUCTION.
Checking a DKIM record
Learn how to Validate & verify a DKIM record (DMARC Analyzer - How To Validate A DKIM Record)
DKIM Record Checker - Lookup :
• mimecast.com/products/dmarc-analyzer/dkim-check/
• dmarcly.com/tools/dkim-record-checker
More information and other useful links:
• Official DKIM site: https://dkim.org/
• DKIM Wiki: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• More information on Domain Keys Identified Mail (DKIM)
• Learn more about DKIM signatures
DMARC