What is a DKIM record? A complete guide to setup, mistakes, and DMARC alignment
Without proper email authentication in place, threat actors can spoof your emails and communicate on your behalf, jeopardizing your reputation and the targeted recipient’s data and money. All this can be prevented if your domain has SPF, DKIM, and DMARC in place. Each of these protocols operates differently, but when they work in tandem with each other, they help establish trust and legitimacy for emails. They enable you to prove to receiving mail servers that a specific email is indeed from you and not sent by a malicious actor.
This blog primarily focuses on DKIM (DomainKeys Identified Mail), an email authentication tool that adds a cryptographic signature to your emails so that the receiving server knows if the email content has been tampered with in transit.
What is a DKIM record?
A DKIM record is a type of DNS record that essentially stores a DKIM public key, which is a random string of characters that is used to verify that the message has not been altered in transit. Receiving email servers query the domain’s DNS to see the DKIM record corresponding to your domain and view the public key.
Here is an example of a DKIM record-
selector1._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=ABC123XYZPublicKeyHereExampleOnly”
Where,
- selector1 means your DKIM selector
- _domainkey is the required DKIM subdomain.
- example.com has to be replaced with your domain name.
- v=DKIM1 specifies the DKIM version.
- k=rsa tells the key type.
- p=ABC123XYZPublicKeyHereExampleOnly is the placeholder public key used for verification.
How does DKIM work?
DKIM’s functionality can be broken down into two parts: the DKIM record and the DKIM header. A DKIM record is stored in your domain’s DNS as a TXT record, and the DKIM header is attached to all outgoing emails.
Here is how the process flows-
- When you send an email, your mail server uses a private key to create a digital signature, which is attached to the DKIM header.
- Next, upon receiving your email, the recipient’s mail server looks up your DKIM record in DNS using the selector from the header.
- The receiving server uses the public key from your DNS to decrypt the signature and compare it against the email’s contents.
- Pass or fail:
- If they match, it confirms the email hasn’t been modified and that it’s genuinely from your domain.
- If they don’t match, the email fails DKIM verification and may be flagged or rejected.
Common DKIM implementation mistakes
DKIM is a sensitive protocol and, hence, requires technical expertise. If you are not careful enough, you may end up making these mistakes-
1. Using the wrong DKIM selector
If you use the wrong DKIM selector, the receiving mail server just won’t be able to find the right public key in your DNS to check the email’s signature. That means the DKIM check will fail, and depending on how your DMARC is set up, your email could end up in spam, get quarantined, or even be rejected completely. Over time, this can mess with your deliverability and hurt your domain’s reputation.
2. Publishing an incomplete or broken public key
If your DKIM public key in DNS is incomplete or has mistakes in it (like missing bits, extra spaces, or wrong formatting), the receiving server won’t be able to use it to check your email’s signature. So the DKIM check will fail, and your emails might start going to spam or even get rejected, depending on how the other side filters stuff. Over time, that can mess with your deliverability and hurt your domain’s reputation.
3. Not rotating DKIM keys regularly
If you don’t rotate your DKIM keys regularly, you are risking your email security. The longer a key is in use, the higher the chances of it getting exposed through a breach, misconfiguration, or even old backups.
This is also seen as a sign of poor security hygiene, which can harm your email deliverability.
4. Forgetting to change the DNS after changing the email service provider
If you switch to a new email service provider and make no updates to your DNS DKIM record, messages sent from your domain will still get signed with the new provider’s key; however, the problem will be that the receiving server will try verifying them using your old public keys.
In this case, there will be a mismatch, which will eventually cause DKIM to fail. If this happens, your emails will either get marked as spam or rejected altogether, depending on your DMARC policy.
5. Misalignment with the ‘From’ domain under DMARC
If your DKIM signature is linked to a different domain than the one in the ‘From’ address, DMARC will see that as misalignment. Even if DKIM passes, DMARC will still count it as a fail because the signing domain and the visible sending domain don’t match. This can make your email land in spam, get quarantined, or even be rejected, which pretty much defeats the whole purpose of having DKIM.
How does DKIM interact with SPF and DMARC?
When DKIM is paired with SPF and DMARC, it strengthens your email security. SPF checks if the server from which an email is sent is actually authorized by the domain owner. DMARC sits on top of both SPF and DKIM. It tells receiving servers what to do if an email fails SPF or DKIM checks, and it requires that at least one of them passes and aligns with the domain in the “From” address. Alignment means the domain in the DKIM signature or SPF return-path matches the visible sending domain.
This interaction is significant for email security because if an email is forwarded, causing SPF to break, DKIM can still pass and keep the email from going to spam or getting rejected. On the flip side, if DKIM fails due to a broken record or signature mismatch, SPF might still pass and save the email. DMARC ties them together, so even if one fails, the other can help maintain deliverability while still protecting your domain from spoofing and phishing.
So, if you also want the combination of all three protocols, then reach out to us. We can help deploy, manage, configure, and reconfigure these protocols to optimize email deliverability and keep phishers at bay.
