Implementing email authentication using DomainKeys Identified Mail (DKIM) enables automated ‘digital signing’ of emails as they are sent from mail servers.
Senders use DKIM to store a digitally encrypted signature in email headers at delivery and email providers use the information to identify an email has actually been delivered from the domain and hasn’t been modified whilst in transit.
Digitally signing emails using DKIM is implemented through a combination of an encrypted key that is stored in a file on the outgoing mail server and a public key that is entered onto the sending domain in a TXT type DNS record.
The length of the key is important and at the end of 2012 1024-bit keys became the minimum security requirement to ensure emails stay secure by making keys far more difficult and time consuming to crack.
In addition to 1024-bit length keys its good practice to put in place a rotation process to ensure keys are updated quarterly.
If you’re using a solution like Instiller then you’ll need to contact your provider for the required public key but if you’re running your own mail servers you can generate a key from the command line.
The public key can then be used to create DKIM DNS entries for the sending domain.
You’ll need a good understanding of what TXT records are and you’ll need login details for your domain name providers DNS management console.
An example record
DKIM records will vary as each is a customised definition that includes an encrypted key to power the digital signing part of email authentication.
A DKIM entry consists of a Hostname, DNS record type and a value containing the encrypted public key.
yourselector._domainkey TXT k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBU2krGM7xiQIDAQABiQKBgQCpZTzdwGr57LkdqJtdzgw/XCpAYF4gI6jJWNpTRCc+tn1nR9SbwdsE9DUp7rovIdnbIfMg/M+dJamiQehs/7NFB0tuQpEPxybuv1Mvo1yWUjE1dPEw4foHEn67loWmWncANY9Qc8uaKkLMKfEJeSdS+EGqwvpY7L7r;
When setting up DKIM on the root domain the first part of the record needs to be entered in the format of
[Selector]._domainkey. e.g. yourselector._domainkey
Using DKIM on a subdomain requires an additional element of adding the subdomain host name following the _domainkey text making the required format
TXT record set-up
Configuring DKIM requires TXT records be entered into the control panel where the domain name is registered e.g. 123-reg.co.uk.
The way to enter the information varies in each domain name control panel but pretty much all of them will allow you to create the required TXT records these days.
Domain providers such as 123-reg, Fasthosts, GoDaddy all have published guides on how to create DKIM records but entering them should be fairly straightforward regardless of where the domain was registered.
If you are having difficulty setting up DKIM records contact the domain provider for support.
Test your records
Port25.com has a really useful testing tool that provides a report on whether DKIM records are set-up correctly. Send an e-mail to
firstname.lastname@example.org and you will receive a reply containing the results of a complete DKIM check.
DKIMcore is a quick an easy way to check DKIM records once the DNS entries are in place. Enter the Selector and Domain Name then click the button to run the check.