How to Create a DKIM Record: the Right Way

How to Create a DKIM Record: the Right Way

DKIM has the key to the heart of email authentication. Two keys, actually. Once you know what DKIM is, we can imagine you are eager to get started with getting your own DKIM TXT record. Generally, DKIM implementation is a matter of following the instructions of third-party senders and the documentation of your own mail server. Below we’ll teach you how to create a DKIM record for your domain by generating key pairs and publishing them.

But first, we will explain what a DKIM record is. Of course, we cannot avoid talking a little bit about selectors here, as well. In the end, you will know how to add a DKIM record and how to test it properly. You will reap the benefits of DKIM signing in no time!

What is a DKIM record?

Just as the name implies, Domain Keys Identified Mail (DKIM) uses domain keys to identify mail. To most humans, these keys just look like a bunch of gibberish. Moreover, this cryptographic signature is only visible to the naked eye if you dive deep into the original code of an email.

For proper functionality, two domain keys need to be created: a key pair. A DKIM DNS record is the part that you add to the DNS of your domain. It typically consists of a long string of characters that contain the public key. Technically, this key is visible to everyone, hence the name Public Key. The other part goes on the sending server, or SMTP server, and is known as the Private Key. DKIM uses the private key to automatically add a so-called signature header to every outgoing email.

Domain keys

So the first step in creating a DKIM record is having a key pair. To be honest, implementing DKIM hardly ever requires anyone to generate a DKIM key pair themselves. Especially if your mail server already has one of its own, which you cannot replace with yours. Depending on your situation, there are a few things you can do:

1. Get information from the hosts (ESPs) that send emails on your behalf. They often provide you with advice or instructions about their DKIM settings online. Or simply contact them and request a copy of the public key.
2. If you have your own email server, it’s possible that you have a native DKIM functionality. Then it’s best to first look for any available documentation on private/public key generation and policy for the creation of a record.
3. Opendkim is an open-source project and offers the possibility to create DKIM keys without a third party.
4. Another option is to use OpenSSL for generating the DKIM keys.

DKIM Selectors example

DKIM Selectors tell the server of the recipient exactly where to find the Public Key in the DNS of your domain. With this information, their server does a lookup, to see if the Public Key and Private Key match. If they do, the email lands in the intended inbox. If they do not, the message goes straight to the spam folder or bounces.

You can choose your own selector name, as long as it hasn’t been used before on the domain. It is even possible to keep different departments, like marketing and finance, separated and give them their own key pair. One selector would be ‘finance’ and the other one could be ‘newsletter’. But this is just one of many examples and is definitely not required. For now, we like to keep it simple and basic. And since it is a requirement to choose at least one, feel free to specify a unique selector and stick with it.

How to create a DKIM record

A big part of creating a DKIM record actually consists of adding it to the DNS. There, the receiver can find it and use it to verify that your emails are still in their original state. Now that you have generated the DKIM key pair, you need to add the public key. Below is an example of how to add a DKIM record with a DNS Zone editor. Note that yours may look different, but the concept is usually the same.

In our example, we named the selector ‘dkim’. The domain we use is ‘example.com’. To show the receiving server which DNS record concerns DKIM, you add ‘._domainkey’ behind the selector. So the name of our TXT record becomes: ‘dkim._domainkey.example.com’. The ‘Record’ part starts with assigning the version of the DKIM protocol as ‘v=DKIM1’, which is followed by the ‘k’ for the key type. Here, we use an RSA key for encryption, which is the most commonly used. Lastly, there’s a ‘p’ which represents the public key. This is where the full public key comes to play.

Test your DKIM record

After this record is added to the DNS, you’ll still need to add the private key to your email provider or SMTP server. Most providers have instructions on how to do that. And that’s it! Your record is ready for testing. Every time you add or update a DKIM record, you want to make sure that it’s valid.

In conclusion

DKIM is more than just a key pair because the keys are only the part that serves the purpose of validating. As shown above, it is not so hard to create a DKIM record. After you go through the process, the receiver can easily verify the emails you are sending. This helps to improve deliverability and protect your emails against phishing attacks.

If you need any other information about DMARC, SPF, or DKIM, please contact us or leave your comments below.