Quick Summary: What is DKIM?
DKIM is an email security mechanism that checks if an email has been modified during the transmission and prevents third parties to impersonate your email address.
DKIM protects against email spoofing and phishing and helps increases email deliverability. Without DKIM, it is very likely that your emails are marked as spam by the recipient’s mail server. A valid DKIM record is required by large providers like Gmail or Microsoft in order to successfully send messages to the intended recipient.
How to set up DKIM for your Email Address
If you use a custom domain name for your email address and wish to use DKIM, simply follow these three steps:
Step 01: Get the required DKIM DNS record from your email provider.
Usually, you can look up the record in your email provider’s admin panel or in the settings of your email account.
Step 02: Log in to your domain management panel and go to the DNS settings.
Here, add a new TXT record with the values you received from your provider. Set the TTL of the TXT record to the lowest possible value so that the changes to the DNS settings are reflected more quickly.
Step 03: Wait a few minutes
Then, use a DKIM checker (e.g. MXToolbox) to check if the DKIM is set up correctly.
What is DKIM?
DKIM stands for DomainKeys Identified Mail and is an email security standard. By using public / private key cryptography to sign and verify email messages, DKIM has become a wide-spread, robust email authentication standard.
Thanks to DKIM, emails are signed using a private key. The recipient of the email verifies the key by looking up the domain’s public key that is stored as DKIM DNS record in the DNS settings of the domain. This mechanism allows the receiving server to find out if the received message was altered during the transmission between the sender’s and the recipient’s mail server, making it easy to detect spoofing and phishing attacks as well as spam messages.
Is DKIM mandatory?
It isn’t mandatory to use DKIM, but highly recommended, as it prevents spoofing (= forging the sender’s email address to make an untrustworthy email look legitimate) and prevents emails from being marked as spam. In combination with SPF and DMARC records, a good (however, not full) level of email security is achieved when sending emails.
When to use DKIM:
In general, you should always use DKIM if you send your emails using a custom domain. E.g. info@mailjerry.com (“mailjerry.com” being the custom domain). If you do not use a custom domain for your email address (e.g. “mailjerry@gmail.com”), you don’t need to do anything, as the email provider manages the DKIM records for you.
👍 Rule of thumb: If you have access to the domain’s DNS panel and / or pay a monthly / yearly fee to use a certain domain for your email address, you should add a DKIM record.
Advantages of DKIM:
✅ Email security is enhanced
✅ Email deliverability is improved
✅ Your emails are not marked as spam
✅ DKIM is compatible with the existing email infrastructure
✅ DKIM is easily set up through DKIM DNS records
How Does DKIM Work?
To check if an email was actually sent from the domain it claims to come from, DKIM uses public-private encryption.
Here’s how it works:
What happens on the sender’s side:
When an email is send, the DKIM authentication creates a hash (= output of a hashing algorithm) of the email content using the DKIM’s public key that is stored in the domain’s DNS settings. This hash (DKIM signature) is then stored in the email header.
What happens on the recipient’s side:
After receiving the email, the recipient’s mailserver calculates the hash value from the received email.
If the hash calculated by the receiving mail server and the hash included in the mail header match, the recipient’s mail server knows that the email hasn’t been altered.
What happens if the email is altered during the transmission?
In case any intermediate system modifies signed parts of the email, the DKIM signature in the email header is marked as invalid.
FAQ:
Frequent Questions about DKIM
How do I check if DKIM works or is set up properly?
To check if your DKIM works properly, you can use a DKIM tool like the DKIM check by MxToolBox or use MailTester to check all records for your domain in one go.
If you have a Gmail or Yahoo email address, you can send a test email to this address. As soon as the test email arrives, click on the icon belog the sender’s name. If the domain the email was sent from appears in the sections “mailed-by” and “signed-by”, your DKIM DNS record is set up correctly.
What’s the difference between DKIM and SPF?
DKIM and SPF are both email authentication methods. SPF defines which email servers are allowed to send emails on the domains behalf. DKIM, on the other hand, verifies that an email was sent by the domain it claims to come from.
In short, this means:
- SPF says “Yes, the server may send emails on behalf of a certain domain”
- DKIM says “Yes, it’s verified that the email was send by the domain it claims to come from.”
Can I have multiple DKIMs?
Yes, a domain can have multiple DKIM DNS records. If you use multiple DKIMs for one domain, every DKIM DNS record must have a unique selector to specify which key should be used for which DKIM validation.
Example:
- selector1._domainkey.mailjerry.com
- selector2._domainkey.mailjrry.com
What happens if I don’t have a DKIM DNS record?
If you don’t set up a DKIM DNS record for your domain, it’s very easy for phishing and spam bots to send emails claiming the email comes from your domain. Furthermore, without a DKIM record, most large providers like Gmail or MS 365 will classify your email as spam. Therefore, without a DKIM, it’s very likely that the recipient won’t receive your email.
Is DKIM secure enough?
Back in 2012, DKIM used very short keys, which made it easy to forge and compromise DKIM records. Nowadays, DKIM uses much longer keys, making it significantly more secure. However, DKIM alone isn’t secure enough. You should always use DKIM in combination with an SPF and DMARC record.
Does DKIM encrypt messages?
No. DKIM only verifies that the domain an email was sent from is legit. This happens through public / private keys that are encrypted. The message itself is not encrypted.
Do I need an SSL certificate to use DKIM?
No. You don’t need an SSL certificate in order to use DKIM.
How do I set up DKIM for Google Mail?
If your domain is managed by Google Domains, Google automatically adds the DKIM DNS record for you. You only have to turn on DKIM by following this tutorial: Turn on DKIM in your Admin console.
In case you manage your domain yourself, follow this tutorial to set up DKIM for your Gmail email.
Do I have to set up DKIM if I use MS 365 with a custom domain?
Yes, simply follow this tutorial.
I use an email address with Microsoft Online Email Routing (e.g. mailjerry.onmicrosoft.com). Do I need an DKIM DNS record?
No. In this case, Microsoft creates and manages all keys automatically for you.
Do I have to set up DKIM even if I don’t use my custom domain to send or receive emails?
No. In fact, it’s recommended not to set up a DKIM record for domains that are not associated with an email address. The lack of a DKIM record for these domains prevents the domain from being abused for DKIM forgery.