How to configure DKIM

• Author
• Recent Posts

Surender Kumar

Surender Kumar has more than twelve years of experience in server and network administration. His fields of interest are Windows servers, Active directory, PowerShell, web servers, networking, Linux, virtualization, and Kubernetes. He loves writing for his blog.

Latest posts by Surender Kumar (see all)

• kube-scheduler: The Kubernetes scheduler - Fri, Sep 29 2023
• Kubernetes logs: Pod logs, container logs, Docker logs, kubelet logs, and master node logs - Mon, Sep 25 2023
• Kubernetes DaemonSets - Wed, Sep 6 2023

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication method used to prevent spammers from impersonating you as an email sender. The use of a forged return address in an email envelope is the most common technique used by fraudsters to send phishing emails. DKIM helps the receiving mail server verify that the email message is authentic and hasn't been tampered with during transit.

How DKIM authentication works

DKIM uses a pair of private/public keys to sign email messages. The public key is published in the domain's DNS. The mail server software is then configured to sign outbound email messages using a private key. The email message is signed with a digital signature as soon as it leaves your organization's mail server. The signature is embedded in the message header, which isn't normally visible to the end user. When the destination mail server receives the signed message, it uses the public key (published in the sending domain's DNS) to validate that the email message is legit and hasn't been modified during the transmission from source to destination.

Understanding DKIM record syntax

Like SPF, DKIM also requires a TXT record to be published in DNS. As mentioned above, DKIM requires a private key and a public key. The private key must be securely stored on the mail server, whereas the public key needs to be published in DNS as a TXT record. The following table shows an example of a DKIM record:

These are the key takeaways about the NAME field:

• The name of the TXT record starts with a selector name, which can be an arbitrary text string. The selector enables you to use multiple DKIM keys in your domain.
• The DKIM keys are stored in a subdomain named _domainkey, which is the next part, followed by a period (.).
• Depending on your DNS registrar, you might need to append the domain name at the end, so ultimately, the Name part of your TXT record becomes selector1._domainkey.company.com. Some domain registrars (like GoDaddy) automatically append the domain name at the end, so you only need to type selector1._domainkey in the Name field.

This is what you need to know about the DKIM field:

• The field starts with v=DKIM1, which indicates that we are working with a DKIM version 1 record.
• It contains multiple sections separated by a semicolon (;).
• The p= prefix is used to specify the DKIM public key in the base-64 format.
• Sometimes, you will see k=rsa, which denotes the public key type. RSA is the default key type in a DKIM record.

Generating DKIM keys

Most email service providers allow you to generate DKIM keys, so you don't have to rely on third-party tools. If you use any third-party tool or website to generate the keys, they may record the private key and could use it to send forged emails on your behalf, which defeats the whole idea of using DKIM authentication.

You could use DKIM Core to generate the DKIM keys for testing and education purposes. For a production domain, it is highly recommended to use the DKIM tool provided by your mail service provider, since it is the safest way.

If your provider doesn't offer such a tool, you can use the openssl command line tool to manually generate key pairs, as shown below:

openssl genrsa -out company.com.key 2048
openssl rsa -in company.com.key -pubout > company.com.pub

Generating DKIM keys manually using the openssl tool

Once the keys are generated, open the company.com.pub file in a text editor to view the public key.

Viewing the public key in the text editor

To publish the key in DNS, you have to remove the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" keywords and delete all line breaks to get a continuous string, as shown in the following screenshot.

Manually creating the value of the TXT record using the public key

Publishing DKIM records

Next, you have to log on to the DNS management page of your domain registrar and create a TXT record to publish the public key for DKIM. The following screenshot shows how to do this in the Cloudflare DNS.

Publishing a DKIM record in the Cloudflare DNS

Enabling DKIM authentication

Once your DKIM public key has been published in DNS, you have to enable DKIM authentication in your mail server software. The following screenshot shows how to enable DKIM signing in the Zoho admin console.

Enabling DKIM signing in the Zoho admin console

Validating DKIM authentication

After enabling DKIM authentication in your mail server, you can validate the DKIM record using the DKIM checker. You just have to enter the selector name and domain name to validate the DKIM record for your domain. The following screenshot shows what the validation results look like:

Validating the DKIM record using the DKIM checker

Alternatively, you could send an email from your domain to a gmail.com address and view the email headers to verify the DKIM status. In Gmail, open the email message that you sent from your domain, click the three dots in the right corner, and select Show original.

Viewing email headers in Gmail

Viewing the status of SPF and DKIM for a message in Gmail

If everything is configured correctly, you should see PASS next to the DKIM and SPF fields.

In my next post, I will discuss the difference between SPF and DKIM.