In this DKIM setup guide, we’ll walk you through the steps to set up DKIM correctly, test it, avoid common pitfalls, and fix common mistakes.
Here are the steps to a correct DKIM setup:
In case you’re new to DKIM, we’ll start with a high-level overview before getting to the step-by-step instructions.
DomainKeys Identification Mail is a technique that uses an encryption key to digitally sign your emails so your recipients know the message has not been faked or altered in transit.
DKIM uses asymmetric encryption to create a digital signature in the header of your emails. Receiving SMTP servers can check an email’s signature to verify the authenticity of the sending domain.
For more information, you can read our explanation of DKIM for email.
In order to set up DKIM, you’ll need a few things:
Once you have these things, here’s how to set up a DKIM package:
List all domains and subdomains from which you send email messages. If you use any third-party platforms to send emails, make sure you include those too. For example, check if you’re sending emails from platforms like these:
You’ll need to install a DKIM package, like OpenDKIM, on your email server. Your choice of DKIM package will depend on the email server’s operating system. The installation process will depend on the DKIM package and operating system.
You’ll have to specify selector names for your key pairs. Selectors tell receiving email servers where to find the public key for each domain. It’s best to make selectors descriptive of what their domain sends. For example, the selector for your email marketing domain could be “marketing.”
Your DKIM wizard should return a selector record that should look something like this:
You’ll need to add a TXT record with that name to your DNS. The value of the record is a specially-formatted version of your DKIM key and some identifying information that tells receivers how to interpret your DKIM key. The complete record will look something like this, which is the DKIM record for Agari.com:
s1024._domainkey.Agari.com. v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQwPqBxkIOc1YVnJv3Occfbd3S68
Note that changes to your DNS can take as many as two days to take effect.
Your DKIM wizard should also produce your private key, which should be stored wherever your DKIM package specifies.
Your particular server or email service provider may have additional instructions for installing DKIM. If you’re using an email service provider or hosting provider, work with them for any necessary server configuration.
Use a DKIM record checker to make sure receiving email servers can locate your public key. They’ll look for this when they’re verifying that an email came from your domain.
If your checker doesn’t locate your DKIM record, remember that it can take as much as 48 hours or more for your DKIM record to propagate. Other common mistakes include:
Multiple records named selector ._domainkey: This can result in email servers rejecting your DKIM records as invalid; make sure you have only one DKIM record in your DNS
You’ve entered an incorrect DKIM record name: Some DNS hosts automatically add your domain at the end of a selector._domainkey TXT record; if you entered it manually, check to make sure it didn’t add an additional “.domain” to your record
You have a missing or misconfigured private or public key: Both are required to be present; sometimes fixing this is as easy as regenerating the public and private key pair
DKIM helps improve email deliverability and when combined with Sender Policy (SPF), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) it can play a critical role in preventing email spoofing.
Email spoofing occurs when a fraudster sends an email that looks as though it was sent from someone else by using a forged sender address. For example, fraudsters might send your employees emails that appear to come from your CEO, or they might send your customers emails that appear to come from you.
This is one of the identity deception techniques email crime rings use to bamboozle people into revealing sensitive information—including their login credentials or financial information. Email spoofing is used in phishing and business email compromise (BEC) scams.
Sender Policy Framework (SPF) is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the “Make From:” email address. SPF allows receiving email systems to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email legitimate.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
Brand Indicators for Message Identification (BIMI) is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient’s email client. Not only does this enhance brand visibility in crowded inboxes, it also verifies that the email is legitimate and comes from a trusted source.
Adding DKIM, SPF, DMARC or BIMI to a single domain is relatively easy and takes just a few moments. But applying them across all the domains in an organization’s entire email ecosystem can get complicated and costly—fast. That’s especially when you’re talking about thousands of domains across numerous divisions and third-party email partners. Large enterprises are advised to leverage a more complete solution, such as Agari Brand Protection™.