In my previous post, you learned about the sender policy framework (SPF) and its importance in your domain. In today's post, I will explain how to configure DKIM.
Latest posts by Surender Kumar (see all)

DomainKeys Identified Mail (DKIM) ^

DomainKeys Identified Mail (DKIM) is an email authentication method used to prevent spammers from impersonating you as an email sender. The use of a forged return address in an email envelope is the most common technique used by fraudsters to send phishing emails. DKIM helps the receiving mail server verify that the email message is authentic and hasn't been tampered with during transit.

How DKIM authentication works ^

DKIM uses a pair of private/public keys to sign email messages. The public key is published in the domain's DNS. The mail server software is then configured to sign outbound email messages using a private key. The email message is signed with a digital signature as soon as it leaves your organization's mail server. The signature is embedded in the message header, which isn't normally visible to the end user. When the destination mail server receives the signed message, it uses the public key (published in the sending domain's DNS) to validate that the email message is legit and hasn't been modified during the transmission from source to destination.

Understanding DKIM record syntax ^

Like SPF, DKIM also requires a TXT record to be published in DNS. As mentioned above, DKIM requires a private key and a public key. The private key must be securely stored on the mail server, whereas the public key needs to be published in DNS as a TXT record. The following table shows an example of a DKIM record:

TYPENAMEVALUE
TXTselector1._domainkey.company.comv=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYxs/SHJhuhWafraSHrXonjQVmxALcJrKe6526m/qSNH1xb2YMLsl9u/4o5B2jjsBMQz7h+70qYuDfMT/bjTKTqW4KpIl/o6F30KlA9CnTkmemzrJ2F15osSrSdvysYGj84dCtw64c2YOpR7Ara/spa2IKD0lKZ4GGINMv1uS8QQIDAQAB;

These are the key takeaways about the NAME field:

  • The name of the TXT record starts with a selector name, which can be an arbitrary text string. The selector enables you to use multiple DKIM keys in your domain.
  • The DKIM keys are stored in a subdomain named _domainkey, which is the next part, followed by a period (.).
  • Depending on your DNS registrar, you might need to append the domain name at the end, so ultimately, the Name part of your TXT record becomes selector1._domainkey.company.com. Some domain registrars (like GoDaddy) automatically append the domain name at the end, so you only need to type selector1._domainkey in the Name field.

This is what you need to know about the DKIM field:

  • The field starts with v=DKIM1, which indicates that we are working with a DKIM version 1 record.
  • It contains multiple sections separated by a semicolon (;).
  • The p= prefix is used to specify the DKIM public key in the base-64 format.
  • Sometimes, you will see k=rsa, which denotes the public key type. RSA is the default key type in a DKIM record.

Generating DKIM keys ^

Most email service providers allow you to generate DKIM keys, so you don't have to rely on third-party tools. If you use any third-party tool or website to generate the keys, they may record the private key and could use it to send forged emails on your behalf, which defeats the whole idea of using DKIM authentication.

You could use DKIM Core to generate the DKIM keys for testing and education purposes. For a production domain, it is highly recommended to use the DKIM tool provided by your mail service provider, since it is the safest way.

If your provider doesn't offer such a tool, you can use the openssl command line tool to manually generate key pairs, as shown below:

openssl genrsa -out company.com.key 2048
openssl rsa -in company.com.key -pubout > company.com.pub
Generating DKIM keys manually using the openssl tool

Generating DKIM keys manually using the openssl tool

Once the keys are generated, open the company.com.pub file in a text editor to view the public key.

Viewing the public key in the text editor

Viewing the public key in the text editor

To publish the key in DNS, you have to remove the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" keywords and delete all line breaks to get a continuous string, as shown in the following screenshot.

Manually creating the value of the TXT record using the public key

Manually creating the value of the TXT record using the public key

Publishing DKIM records ^

Next, you have to log on to the DNS management page of your domain registrar and create a TXT record to publish the public key for DKIM. The following screenshot shows how to do this in the Cloudflare DNS.

Publishing a DKIM record in the Cloudflare DNS

Publishing a DKIM record in the Cloudflare DNS

Enabling DKIM authentication ^

Once your DKIM public key has been published in DNS, you have to enable DKIM authentication in your mail server software. The following screenshot shows how to enable DKIM signing in the Zoho admin console.

Enabling DKIM signing in the Zoho admin console

Enabling DKIM signing in the Zoho admin console

Validating DKIM authentication ^

After enabling DKIM authentication in your mail server, you can validate the DKIM record using the DKIM checker. You just have to enter the selector name and domain name to validate the DKIM record for your domain. The following screenshot shows what the validation results look like:

Validating the DKIM record using the DKIM checker

Validating the DKIM record using the DKIM checker

Alternatively, you could send an email from your domain to a gmail.com address and view the email headers to verify the DKIM status. In Gmail, open the email message that you sent from your domain, click the three dots in the right corner, and select Show original.

Viewing email headers in Gmail

Viewing email headers in Gmail

Viewing the status of SPF and DKIM for a message in Gmail

Viewing the status of SPF and DKIM for a message in Gmail

If everything is configured correctly, you should see PASS next to the DKIM and SPF fields.

Subscribe to 4sysops newsletter!

In my next post, I will discuss the difference between SPF and DKIM.

Articles in series

Email authentication methods

2 Comments
  1. ms 2 weeks ago

    hi,
    how would you do when part of your sent emails are sent from third party mail server ?
    Like when you use other service to send your marketing emails, etc.
    Whe use google workspace, but also have an internal mail server and external mail sender service…

    • Author
      Surender Kumar 2 weeks ago

      Hi there,
      DKIM is used to sign the outbound email messages. Unlike SPF record, you could have multiple DKIM records in your domain; its just the name of selector that matters. Just use a different selector name for different email sending services and you will be good.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account