Configuring DKIM

Complete step-by-step guide to setting up DKIM (DomainKeys Identified Mail) for email authentication and improved deliverability.

Configuring DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they came from your domain and haven't been tampered with. This guide covers everything you need to set up DKIM correctly.

What is DKIM?

DKIM works by:

  1. Signing emails - Your mail server adds a digital signature to each outgoing email
  2. Publishing public keys - You publish DKIM public keys in your DNS
  3. Verification - Receiving servers verify signatures using your public keys

Why DKIM Matters

  • Email Authentication - Required by Google, Yahoo, and Microsoft for bulk senders
  • Deliverability - Improves inbox placement rates
  • Security - Prevents email tampering and spoofing
  • Reputation - Builds domain reputation independent of IP addresses

DKIM Record Structure

DKIM records are published as TXT records at:

{selector}._domainkey.{yourdomain.com}

Key Components

ComponentDescriptionExample
SelectorIdentifies which key to usedefault, google, mailchimp
Public KeyThe cryptographic public keyp=MIGfMA0GCSqGSIb3...
VersionDKIM version (usually v=DKIM1)v=DKIM1
Key TypeEncryption algorithmk=rsa
Key LengthMinimum 1024-bit (2048-bit recommended)h=sha256

Step-by-Step Setup Guide

Step 1: Choose Your DKIM Selector

Selectors allow you to use multiple DKIM keys for different services:

  • default - General purpose
  • google - Google Workspace
  • mailchimp - Mailchimp campaigns
  • sendgrid - SendGrid transactional

You can use any name, but descriptive names help with organization.

Step 2: Generate DKIM Keys

Option A: Using Your Email Provider

Most email providers generate keys for you:

Google Workspace:

  1. Admin Console → Apps → Google Workspace → Gmail
  2. Authenticate email → Select domain
  3. Generate new record → Copy public key

Microsoft 365:

  1. Security & Compliance → DKIM
  2. Select domain → Enable DKIM
  3. Copy CNAME records (Microsoft manages keys)

SendGrid/Mailchimp:

  • Keys generated automatically in domain settings
  • Copy provided DNS records

Option B: Generate Your Own Keys

For custom implementations, generate RSA keys:

# Generate 2048-bit RSA key pair
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

Extract the public key for DNS (remove headers/footers):

# Extract public key content
openssl rsa -in private.key -pubout -outform DER | openssl base64 -A

Step 3: Create DNS TXT Record

Add a TXT record with the following structure:

Record Details:

FieldValue
TypeTXT
Host/Name{selector}._domainkey
Valuev=DKIM1; k=rsa; p={your-public-key}
TTL3600 (1 hour) or default

Example DNS Record:

Host: default._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vbqajDwY...

Step 4: Configure Your Mail Server

Postfix (Linux)

Edit /etc/postfix/main.cf:

# Enable DKIM signing
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
 
# DKIM key configuration
dkim_key_file = /etc/postfix/dkim/default.private
dkim_selector = default
dkim_domain = yourdomain.com

Microsoft Exchange

  1. Exchange Admin Center → Protection → DKIM
  2. Select domain → Enable DKIM
  3. Microsoft automatically configures DNS

Google Workspace

  1. Admin Console → Apps → Google Workspace → Gmail
  2. Authenticate email → Select domain
  3. Enable DKIM signing
  4. Add DNS record provided

Step 5: Verify DKIM Setup

Using MailSentinel

  1. Go to your domain in MailSentinel
  2. Click Check DNS
  3. Verify DKIM records are detected
  4. Check key length and validity

Manual Verification

Send a test email and check headers:

# Send test email
echo "Test DKIM" | mail -s "DKIM Test" your-email@example.com
 
# Check headers (look for Authentication-Results)
Received-SPF: pass
Authentication-Results: example.com;
  dkim=pass header.d=yourdomain.com;
  dkim-signature=v=1; a=rsa-sha256; c=relaxed/relaxed;

Online Tools

Common DKIM Configurations

Google Workspace

DNS Record:

Host: google._domainkey
Type: TXT
Value: v=DMARC1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Configuration:

  • Selector: google
  • Key length: 2048-bit
  • Algorithm: RSA-SHA256

Microsoft 365

Microsoft uses CNAME records instead of TXT:

Host: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.onmicrosoft.com

SendGrid

DNS Record:

Host: s1._domainkey
Type: TXT
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Mailchimp

DNS Record:

Host: k1._domainkey
Type: TXT
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Multiple DKIM Keys (Selectors)

You can use multiple selectors for different services:

default._domainkey.yourdomain.com  → General email
google._domainkey.yourdomain.com   → Google Workspace
mailchimp._domainkey.yourdomain.com → Mailchimp campaigns
sendgrid._domainkey.yourdomain.com → SendGrid transactional

Benefits:

  • Separate keys per service
  • Easier key rotation
  • Better security isolation

DKIM Alignment for DMARC

For DMARC to pass, DKIM must align with your From: domain:

  • DKIM signing domain: mail.yourdomain.com
  • From: domain: yourdomain.com
  • Result: ✅ Passes (subdomain alignment)

Strict Alignment

  • DKIM signing domain: yourdomain.com
  • From: domain: yourdomain.com
  • Result: ✅ Passes (exact match)

Misalignment Example

  • DKIM signing domain: otherdomain.com
  • From: domain: yourdomain.com
  • Result: ❌ Fails DMARC

Troubleshooting Common Issues

Issue 1: DKIM Signature Not Present

Symptoms:

  • No DKIM-Signature header in emails
  • Authentication shows "none"

Solutions:

  1. Verify DKIM signing is enabled on mail server
  2. Check mail server configuration
  3. Restart mail server after configuration changes
  4. Verify emails are sent through configured server

Issue 2: Invalid Signature

Symptoms:

  • dkim=fail in authentication results
  • Signature verification errors

Solutions:

  1. Verify DNS record is published correctly
  2. Check public key matches private key
  3. Ensure no extra spaces or line breaks in DNS record
  4. Verify selector matches DNS record name
  5. Check key hasn't expired or been rotated

Issue 3: Key Too Short

Symptoms:

  • Warnings about key length
  • Some providers reject emails

Solutions:

  1. Generate new 2048-bit keys (minimum 1024-bit)
  2. Update DNS with new public key
  3. Update mail server with new private key
  4. Wait for DNS propagation

Issue 4: DNS Propagation Delays

Symptoms:

  • DKIM check fails immediately after setup
  • Intermittent failures

Solutions:

  1. Wait 15-60 minutes for DNS propagation
  2. Check DNS from multiple locations
  3. Reduce TTL before making changes
  4. Use dig or nslookup to verify DNS

Issue 5: Multiple DKIM Signatures

Symptoms:

  • Multiple DKIM-Signature headers
  • Confusion about which key to use

Solutions:

  1. This is normal - each server can sign
  2. DMARC checks all signatures
  3. Ensure at least one aligns with From: domain
  4. Remove unnecessary signatures if possible

Best Practices

1. Use 2048-Bit Keys

  • Minimum: 1024-bit (required by Google/Yahoo)
  • Recommended: 2048-bit for better security
  • Future-proof: Consider 4096-bit for long-term use

2. Regular Key Rotation

Rotate keys every 6-12 months:

  1. Generate new key pair
  2. Add new DNS record with new selector
  3. Update mail server to use new key
  4. Monitor for issues
  5. Remove old DNS record after 30 days

3. Monitor DKIM Signing

  • Check authentication headers regularly
  • Use MailSentinel to track DKIM pass rates
  • Set up alerts for signing failures

4. Document Your Setup

Keep records of:

  • Selector names and purposes
  • Key generation dates
  • DNS record locations
  • Mail server configurations

5. Test Before Production

  • Send test emails to multiple providers
  • Verify headers in Gmail, Outlook, Yahoo
  • Use Mail-Tester for comprehensive checks

DKIM and Email Providers

Google & Yahoo Requirements (2024)

Bulk senders (5,000+ emails/day):

  • ✅ DKIM required (along with SPF)
  • ✅ Minimum 1024-bit keys
  • ✅ DMARC must pass (DKIM alignment required)

All senders:

  • ✅ SPF or DKIM required
  • ✅ 1024-bit minimum key length

Microsoft Outlook Requirements (2025)

Bulk senders:

  • ✅ SPF and DKIM required
  • ✅ DMARC policy required
  • ✅ DKIM alignment with From: domain

Next Steps

After setting up DKIM:

  1. Configure SPF - Set up SPF records
  2. Set Up DMARC - Configure DMARC policy
  3. Monitor Authentication - Track pass rates
  4. Set Up Alerts - Get notified of issues

Additional Resources