DKIM Records: Complete Guide

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent from an authorized mail server and hasn’t been tampered with during transit. This guide covers everything you need to know about DKIM.

What is DKIM?

DKIM adds a digital signature to your outgoing emails. This signature is created using a private key stored on your mail server and verified using a public key published in your DNS records.

How DKIM Works

1. Email sent: Your mail server sends an email
2. Signature added: Server signs email with private key
3. Email transmitted: Email sent to recipient with DKIM signature in headers
4. Public key retrieved: Receiving server fetches your public key from DNS
5. Signature verified: Receiving server verifies signature matches
6. Result: Email marked as authenticated (pass) or suspicious (fail)

Why DKIM Matters

• Email authentication: Proves email came from your domain
• Prevents tampering: Detects if email was modified in transit
• Improves deliverability: Authenticated emails reach inbox more often
• Protects reputation: Makes spoofing your domain harder
• Works with DMARC: Required for DMARC authentication
• Industry standard: Expected by major email providers

DKIM Record Components

DKIM Signature in Email Headers

When you send an email, your mail server adds a DKIM-Signature header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=google; h=from:to:subject:date;
  bh=abc123...;
  b=xyz789...

Key parts:

• v=1: DKIM version
• a=rsa-sha256: Algorithm used
• d=yourdomain.com: Sending domain
• s=google: Selector (identifies which key)
• h=: Headers included in signature
• bh=: Body hash
• b=: Actual signature

DKIM Public Key in DNS

Public key is stored as a TXT record:

Host: selector._domainkey.yourdomain.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...

Key parts:

• v=DKIM1: DKIM version
• k=rsa: Key type (RSA)
• p=: Public key (base64 encoded)
• t=s (optional): Testing mode
• t=y (optional): Testing mode

Setting Up DKIM

Setup varies by email provider. Here are the most common:

Google Workspace / Gmail

Step 1: Generate DKIM Key

1. Go to Google Admin Console
2. Navigate to Apps → Google Workspace → Gmail
3. Click Authenticate email
4. Select your domain
5. Click Generate new record
6. Choose key length:
   • 1024-bit: Compatible with all DNS providers
   • 2048-bit: More secure (recommended)
7. Click Generate

Step 2: Add to DNS

Google provides the TXT record:

Host: google._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkq...

Important notes:

• Remove spaces from the key value
• Some DNS providers split long values into multiple strings
• Use exact selector name provided (usually google)

Step 3: Activate DKIM

1. Return to Google Admin Console
2. Click Start authentication
3. Wait 24-48 hours for DNS propagation
4. Google will automatically verify and activate

Microsoft 365 / Outlook

Step 1: Generate DKIM Keys

1. Go to Microsoft 365 Admin Center
2. Navigate to Security → Threat management → Policy → DKIM
3. Select your domain
4. Click Create DKIM keys
5. Microsoft generates two selectors: selector1 and selector2

Step 2: Add to DNS

Add both CNAME records:

Host: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Host: selector2._domainkey
Type: CNAME
Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Step 3: Enable DKIM

1. Return to DKIM policy page
2. Toggle Sign messages for this domain with DKIM signatures to Enabled
3. Microsoft begins signing emails

SendGrid

Step 1: Authenticate Domain

1. Log in to SendGrid
2. Go to Settings → Sender Authentication
3. Click Authenticate Your Domain
4. Enter your domain
5. Select DNS host

Step 2: Add DNS Records

SendGrid provides three records:

# CNAME Record 1
Host: s1._domainkey
Value: s1.domainkey.u12345.wl.sendgrid.net

# CNAME Record 2
Host: s2._domainkey
Value: s2.domainkey.u12345.wl.sendgrid.net

# CNAME Record 3 (optional, for link branding)
Host: em1234
Value: u12345.wl.sendgrid.net

Step 3: Verify

1. Add all records to DNS
2. Click Verify in SendGrid
3. SendGrid checks DNS and activates DKIM

Mailchimp

Step 1: Start Authentication

1. Log in to Mailchimp
2. Go to Profile → Settings → Domains
3. Click Add & Verify Domain
4. Enter your domain

Step 2: Add DNS Records

Mailchimp provides three records:

# DKIM Record
Host: k1._domainkey
Value: dkim.mcsv.net

# SPF Record (if not set)
Host: @
Value: v=spf1 include:servers.mcsv.net ?all

# DMARC Record (recommended)
Host: _dmarc
Value: v=DMARC1; p=none; pct=100; rua=mailto:dmarc@yourdomain.com

Step 3: Verify

1. Add records to DNS
2. Click Verify Domain in Mailchimp
3. Wait for verification (can take up to 48 hours)

DKIM Key Length

1024-bit Keys

Pros:

• Compatible with all DNS providers
• Smaller DNS record size
• Faster to generate and verify

Cons:

• Less secure (though still adequate)
• May be deprecated in future

2048-bit Keys

Pros:

• More secure
• Industry recommended
• Future-proof

Cons:

• Larger DNS record size
• Some DNS providers can’t handle long TXT records
• May need to split into multiple strings

Recommendation: Use 2048-bit unless your DNS provider can’t support it.

Multiple DKIM Selectors

You can have multiple DKIM keys for one domain using different selectors.

Why Use Multiple Selectors

• Multiple mail servers: Different servers use different keys
• Key rotation: Transition between old and new keys
• Service separation: One key for transactional, another for marketing
• Testing: Test new key without affecting production

Example Configuration

# Google Workspace
google._domainkey TXT "v=DKIM1; k=rsa; p=..."

# SendGrid
s1._domainkey TXT "v=DKIM1; k=rsa; p=..."

# Custom mail server
mail._domainkey TXT "v=DKIM1; k=rsa; p=..."

All three can coexist and work simultaneously.

Verifying DKIM

Check DKIM DNS Record

Command line:

# Check specific selector
nslookup -type=TXT google._domainkey.yourdomain.com

# Or using dig (Linux/Mac)
dig TXT google._domainkey.yourdomain.com

Online tools:

• MXToolbox DKIM Lookup
• EasyDMARC DKIM Checker
• DKIMCore

Test DKIM Signature

Send test email:

1. Send email from your domain to Gmail
2. Open email in Gmail
3. Click three dots → Show original
4. Look for DKIM result:

   dkim=pass header.i=@yourdomain.com header.s=google

Check email headers:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=yourdomain.com; s=google;
  ...

Authentication-Results: mx.google.com;
  dkim=pass header.i=@yourdomain.com header.s=google header.b=abc123;

Online Testing Tools

• Mail Tester: mail-tester.com

  • Send to provided address
  • Get detailed authentication report

• DKIM Validator: dkimvalidator.com

  • Send to test address
  • View DKIM signature analysis

DKIM Key Rotation

Regularly rotating DKIM keys improves security.

When to Rotate

• Regularly: Every 6-12 months
• Security breach: If private key compromised
• Provider change: Switching email services
• Key upgrade: Moving from 1024-bit to 2048-bit

Rotation Process

1. Generate new key pair

   • Create new selector (e.g., google2023)
   • Generate new private/public key

2. Add new public key to DNS

   google2023._domainkey TXT "v=DKIM1; k=rsa; p=NEW_KEY"

3. Configure mail server to use new key

   • Update server to sign with new private key
   • Use new selector in signatures

4. Monitor for issues

   • Verify new signatures pass
   • Check email deliverability

5. Remove old key (after 48 hours)

   • Delete old DNS record
   • Revoke old private key

Troubleshooting DKIM

DKIM Signature Missing

Causes:

• DKIM not enabled on mail server
• Mail server not configured correctly
• Using third-party service without DKIM setup

Solutions:

• Verify DKIM is enabled in email service settings
• Check mail server configuration
• Set up DKIM for third-party services

DKIM Verification Fails

Causes:

• DNS record not published or incorrect
• Selector mismatch
• Key doesn’t match signature
• Email modified in transit
• DNS propagation delay

Solutions:

• Verify DNS record with nslookup
• Check selector name matches (s= in signature)
• Regenerate keys if needed
• Wait 24-48 hours for DNS propagation
• Test with multiple recipients

DNS Record Too Long

Problem: Some DNS providers reject long TXT records (2048-bit keys).

Solution 1: Split into multiple strings

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI" "IBCgKCAQEA1234567890abcdef..."

Solution 2: Use CNAME Many services (Microsoft, SendGrid) use CNAME records instead of TXT, avoiding this issue.

Solution 3: Use 1024-bit key Generate smaller key if provider can’t handle 2048-bit.

Headers Modified by Mailing List

Problem: Mailing lists modify headers, breaking DKIM signature.

Solution:

• Use l= tag to only sign body
• Configure mailing list not to modify headers
• Use ARC (Authenticated Received Chain)

DKIM Best Practices

1. Use 2048-bit keys: More secure and recommended
2. Rotate keys regularly: Every 6-12 months
3. Use descriptive selectors: Like google, sendgrid, not s1
4. Test before deploying: Verify DKIM passes
5. Monitor authentication: Check email headers regularly
6. Combine with SPF and DMARC: Use all three for best security
7. Document your setup: Keep records of selectors and services
8. Use separate keys: Different keys for different services
9. Set up monitoring: Alert on DKIM failures
10. Keep private keys secure: Store safely, never expose

DKIM with DMARC

DKIM is most effective when combined with DMARC:

DKIM Alignment

DMARC requires DKIM signature domain (d=) to align with From: domain.

Relaxed alignment (default):

From: user@yourdomain.com
DKIM d=mail.yourdomain.com  ← Passes (subdomain OK)

Strict alignment:

From: user@yourdomain.com
DKIM d=yourdomain.com  ← Passes
DKIM d=mail.yourdomain.com  ← Fails (must match exactly)

DMARC with DKIM

_dmarc TXT "v=DMARC1; p=quarantine; adkim=r; rua=mailto:dmarc@yourdomain.com"

• adkim=r: Relaxed DKIM alignment
• adkim=s: Strict DKIM alignment

Conclusion

DKIM is a critical component of email authentication. Properly configured DKIM:

• Verifies your emails are authentic
• Improves email deliverability
• Protects your domain from spoofing
• Works with SPF and DMARC for comprehensive protection

Set up DKIM for all services that send email from your domain, test thoroughly, and monitor regularly to ensure your emails are properly authenticated.

Quick Reference

Check DKIM record:

nslookup -type=TXT selector._domainkey.yourdomain.com

DKIM TXT record format:

selector._domainkey TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY"

Test DKIM:

1. Send email to Gmail
2. Show original
3. Look for dkim=pass

Common selectors:

• Google: google
• Microsoft: selector1, selector2
• SendGrid: s1, s2
• Mailchimp: k1