DKIM Explained: Digital Signatures for Email Security

While SPF verifies where an email comes from, DKIM (DomainKeys Identified Mail) verifies that the email hasn't been tampered with in transit. It's like a wax seal on a letter - proof that the message is authentic and unchanged.

How DKIM Works

DKIM uses public-key cryptography to sign outgoing emails and verify them on receipt.

The Signing Process

1. Generate a key pair: A private key (kept secret) and public key (published in DNS)
2. Sign the email: The sending server creates a hash of certain email headers and body, then encrypts it with the private key
3. Add the signature: The encrypted hash is added as a DKIM-Signature header
4. Publish the public key: The receiving server can look up your public key in DNS

The Verification Process

When a receiving server gets your email:

1. Extracts the DKIM-Signature header
2. Looks up the public key from your DNS
3. Uses the public key to decrypt the signature
4. Calculates its own hash of the email
5. Compares the hashes - if they match, the email is verified

Anatomy of a DKIM Signature

Here's what a DKIM-Signature header looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector1;
  h=from:to:subject:date:message-id;
  bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
  b=AuUoFEfDxTDkHlLXSZEpZj79LICEps6eda7W3deTVFOk4yAUoqOB
    4nujc7YopdG5dWLSdNg6xNAZpOPr+kHxt1IrE+NahM6L/LbvaHut
    KVdkLLkpVaVVQPzeRDI009SO2Il5Lu7rDNH6mZckBdrIx0orEtZV
    4bmp/YzhwvcubU4=

Key Components

DKIM Selectors

The selector allows you to have multiple DKIM keys for the same domain. This is essential for:

• Using different keys for different sending services
• Rotating keys without downtime
• Separating production and testing environments

Common Selector Patterns

• google or goog - Google Workspace
• selector1, selector2 - Microsoft 365
• s1, s2 - SendGrid
• k1 - Mailchimp
• Custom selectors for other services

Finding DKIM Selectors

DKIM public keys are published as TXT records at:

<selector>._domainkey.<domain>

Example for Google Workspace:

google._domainkey.example.com

Setting Up DKIM

Step 1: Generate Keys

Most email services generate DKIM keys for you. For custom setups:

# Generate a 2048-bit RSA key pair
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

Step 2: Publish the Public Key

Create a TXT record in your DNS:

Record: selector._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...

Step 3: Configure Your Mail Server

Configure your email server or service to sign outgoing emails with the private key.

Step 4: Test the Configuration

Send a test email and check the headers for a valid DKIM-Signature.

DKIM for Third-Party Services

Google Workspace

1. Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
2. Generate new record
3. Add the TXT record to your DNS
4. Start authentication

Microsoft 365

1. Exchange Admin Center → Protection → DKIM
2. Enable DKIM for your domain
3. Add the two CNAME records provided
4. Enable signing

SendGrid

1. Settings → Sender Authentication → Domain Authentication
2. Enter your domain
3. Add the provided DNS records (CNAME for DKIM)
4. Verify

Mailchimp

1. Account → Settings → Domains
2. Add and verify your domain
3. Add the provided DKIM record
4. Enable authentication

Key Size Recommendations

Important: Google and Yahoo now require at least 1024-bit keys. Use 2048-bit for best compatibility and security.

DKIM and DMARC Alignment

For DMARC to pass based on DKIM:

1. DKIM signature must be valid
2. The d= domain in the signature must align with the From: header domain

Alignment Modes

Relaxed Alignment (default):

d=mail.example.com → From: hello@example.com ✅

Strict Alignment:

d=mail.example.com → From: hello@example.com ❌
d=example.com → From: hello@example.com ✅

Common DKIM Problems

1. Signature Verification Fails

Causes:

• Email modified in transit (mailing lists, forwarding)
• DNS propagation delays
• Incorrect public key format

Solutions:

• Check DNS record is correctly published
• Verify the public key format
• Wait for DNS propagation (up to 48 hours)

2. Key Not Found

Causes:

• Wrong selector name
• DNS record not published
• TTL caching issues

Solutions:

• Verify selector name matches the signature
• Check DNS with multiple tools
• Clear DNS caches

3. Body Hash Mismatch

Causes:

• Email content modified after signing
• Different canonicalization algorithms
• Character encoding issues

Solutions:

• Check for systems modifying emails in transit
• Use relaxed canonicalization (c=relaxed/relaxed)

4. Multiple DKIM Signatures

It's valid to have multiple DKIM signatures (e.g., from your domain and your ESP). Receiving servers evaluate each one.

Monitoring DKIM with MailSentinel

MailSentinel helps you stay on top of DKIM:

• Selector Discovery: Automatically find all DKIM selectors for your domain
• Key Validation: Verify key size, format, and DNS publication
• Pass Rate Tracking: Monitor DKIM pass/fail rates from DMARC reports
• Expiration Alerts: Get notified when DKIM keys should be rotated

Best Practices

Do's

• ✅ Use 2048-bit RSA keys
• ✅ Sign important headers (From, To, Subject, Date, Message-ID)
• ✅ Use relaxed canonicalization for resilience
• ✅ Rotate keys annually
• ✅ Monitor DKIM pass rates

Don'ts

• ❌ Share private keys between services
• ❌ Use 512 or 768-bit keys
• ❌ Forget to sign when adding new sending services
• ❌ Ignore DKIM failures in DMARC reports

Conclusion

DKIM is essential for proving your emails are authentic and unmodified. Combined with SPF and DMARC, it creates a robust authentication system that protects your domain and improves deliverability.

Start monitoring your DKIM with MailSentinel to ensure your signatures are always valid.