DomainKeys Identified Mail (DKIM) plays a crucial role in email authentication, combating email spoofing effectively. This fraudulent act, common in phishing and spamming activities, involves forging the sender’s address to appear as if it’s from someone else. In this comprehensive guide, we delve into the key aspect of DKIM—a DKIM record, exploring its function and significance.
What Is a DKIM DNS TXT Record?
A DKIM record is a specific type of TXT record integrated into your domain’s DNS settings. Embedded with a public cryptographic key, this digital fingerprint assists receiving email servers in decoding the DKIM signature of an incoming email. The email’s DKIM signature, initially encrypted with the sender’s private key, verifies the email’s authenticity and ensures it has remained unchanged during transmission, once successfully decoded.
How Does DKIM DNS TXT Record Function?
- Key Generation: As an email sender, you generate a unique pair of private and public keys. The private key is kept secure on your sending mail server, while the public key is included in the DKIM DNS record on your domain’s DNS.
- Email Sending: During email dispatch, your email server creates a unique DKIM signature for the message using your private key. This signature forms part of the email’s header (DKIM Header), which includes details such as the sender, recipient, and subject.
- Email Reception: Upon receipt, the recipient’s mail server refers to your DKIM DNS record, locates your public key, and attempts to decrypt the DKIM signature from the email’s header.
- Verification: If the recipient’s mail server can successfully decrypt the signature using the public key, and the decrypted contents match the email headers, the email’s authenticity is confirmed, and it is deemed to have remained unaltered in transit. If not, the email is flagged as potentially suspicious.
What Does a DKIM Record Look Like?
A DKIM record consists of various pieces of information encapsulated in special tags (letters preceding the “=” characters). The specific details of the DKIM record, including the public key and selector, depend on your unique mail server and configuration. A sample DKIM record may look like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmZ5Ch+0+ZKKJaAu1tPjq4wFtEn6JViEHtneZgCYzFIPzG6VqzRb+oUV9mH5aW7Y9JUyziShypsjG9cBZx94e2/e7xak2HcXwsg5Kj+eu9ZxJ4IQIDAQAB; t=s; n=core; s=email;
Where:
- v=DKIM1; – This indicates the version of DKIM, which is DKIM1
- k=rsa; – This specifies the key type, which in this case is RSA
- p=MIGfMA0GCSqG…IDAQAB; – This is the public key used by receiving servers to decrypt the DKIM signature. Note that the actual key is much longer; it’s truncated here for readability
- t=s; – This is the testing flag. In this case, it indicates that this domain is testing DKIM, and the receiving server should not consider a DKIM failure as a reason to reject the message
- n=core; – This indicates notes of potential interest to administrators. Here, ‘core’ is used as an example
- s=email; – This is the selector, which can be thought of as an identifier for the key. When a server receives a message, it will look up the DKIM record using the domain and selector; in this case, ’email’ is the selector
The name of this DKIM TXT record in DNS will be something like email._domainkey.yourdomain.com, where email._domainkey is the name you choose (selector) and yourdomain.com is your domain.
The specific details for your DKIM record, such as the public key and selector, will depend on your specific mail server and configuration.
How to Set Up DKIM Records?
Setting up DKIM involves generating a public-private key pair and adding the DKIM record to your DNS. The specifics can vary somewhat depending on your domain registrar and email service, but the general steps are as follows:
1. Generate a DKIM Key. This process will generate a pair of keys: a private key, which stays on your mail server, and a public key, which will be published in your DNS records. Several online tools can help you generate a DKIM key pair, or your email service provider might provide a tool or instructions to do this.
2. Create a Selector. A selector is a simple string used to help identify the DKIM public key in your DNS records. For example, if you choose “mailer” as your selector, you might name your DKIM record something like “mailer._domainkey”.
3. Add the DKIM Record to Your DNS. Once you have your public key and selector, you will create a new TXT record in your DNS settings. The exact process can vary depending on your DNS provider, but you will generally need to input your selector (e.g., mailer._domainkey) as the Host, and a value that includes your public key and some other DKIM settings. The value might look something like this:
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY
Replace YOUR_PUBLIC_KEY with the public key that was generated in step #1.
4. Configure Your Email Server. You will need to configure your email server to sign outgoing messages using the private key that corresponds with the public key in your DNS records. This process can vary widely depending on your specific mail server software.
5. Test Your Setup. Finally, you will want to send test emails to verify that everything is working as expected. There are various online DKIM check tools that can help with this. These tools will tell you whether your emails include a valid DKIM signature.
Note: Any changes to your DNS records can take some time (sometimes up to 48 hours) to propagate throughout the internet. So, don’t worry if your new setup doesn’t work immediately.
If you are looking for a DNS provider that can help secure your mail and manage your DNS records conveniently, consider Gcore DNS Hosting.