What is DKIM?

If all it took to keep your email outreach from landing in spam was one simple step, would you take it?

DomainKeys Identified Mail (DKIM) is that step. 

In tandem with SPF and DMARC, DKIM works to ensure robust email deliverability. Along with keeping your outbound emails out of spam, it also prevents malicious parties from impersonating you.

Here’s a closer look at what DKIM is, how it works, and how you can set it up.

What is DKIM?

DomainKeys Identified Mail is one of a trio of email authentication and security protocols that work together to protect your emails from tampering and spoofing: SPF, DMARC, and DKIM. 

As implied by its name, DKIM verifies that this email truly comes from your domain and hasn’t been altered or tampered with in transit.

So how does DKIM work?

In simple terms, DKIM uses a string of text known as a key to authenticate your email.

And just like there are two sides to every coin, there are two keys to every DKIM:

• Private key – The private key is kept secret by the sender’s server. A signature is then applied to every email from the sender using this key.
• Public key – The public key is published in the sender’s DNS records so that recipients’ servers can access the key to check and verify the sender’s signature.

The DKIM verification process is like running a person’s fingerprints in a database.

Similar to the private key, a person’s fingerprints are unique and can only be provided by the person. And like the public key, authorities can access a database to check the validity of the person’s fingerprints. If the prints match, then the identity is confirmed. 

And in DKIM, the receiver’s mail server will access the public key to verify the private key and confirm the authenticity of an email. If the check passes, your email proceeds to the recipient’s inbox.

If an email arrives without a DKIM signature, chances are it’s not actually from the person who supposedly sent it. 

When this happens, your email service provider (ESP) follows a policy that outlines the next step, which is usually forwarding the email to spam or blocking it. 

You can specify your own policy and get better insights into your email deliverability by setting up DMARC for your domain.

What is a DKIM signature?

The DKIM signature is an encrypted header that’s added to your email. This header is invisible to your recipient, but it can be read by their mail server. 

A DKIM signature contains all the information a server needs to validate your message:

• Your domain name
• Your email address
• The DKIM version used by your mail server
• The public key

You can protect your emails with a DKIM signature only when you have a public key that can be used to verify it.

What is a DKIM record?

A DKIM record is a specially formatted line of text that stores the public key. A recipient’s email server will use the DKIM record to verify your DKIM signature.

A DKIM record consists of the following:

• Record name
• Record version
• Key type
• The key itself

With most Domain Name System (DNS) providers, you can view your DKIM record in the DNS Settings menu.

How does DKIM work?

The process of DKIM encryption and verification has three stages:

• Setting up the private/public DKIM key pair
• Sending a signed DKIM message
• Verifying a signed DKIM message

DKIM works using a private/public key pair. 

After you create these, your private key is stored safely on your server or with your DNS provider. The public key is added to the DNS records for your domain so it can be accessed by anyone who needs to verify your email.

Unless you run your own mail server, you will create a private DKIM key with your DNS provider and store it on their servers. 

Whenever you send a message, your DNS provider will use your private key to create a unique DKIM signature and add it to the email header.

The receiver’s mail server will validate the DKIM signature by checking if:

• It uses the same DKIM version as the sending server
• The sender’s domain matches the one in the signature
• The sender’s name matches the one in the signature

After this, the receiving server requests the public DKIM key and uses it to decrypt the signature. 

The server computes a hash from the data, similar to a teacher checking a student’s homework. Then, it compares this hash with the one in the DKIM signature. If they match, the email’s authenticity is confirmed and the message passes DKIM.

Why is DKIM important?

On February 1, 2024, Google mandated DKIM and Sender Policy Framework (SPF) for everyone sending emails to Gmail accounts. But even when DKIM isn’t mandatory, setting it up gets you a range of benefits.

Greater email security and trust

Using DKIM establishes you as a reputable sender. Your emails will be generally perceived as safe by your prospects and customers, which can improve your open rate.

Neglecting DKIM can be detrimental to your long-term customer relationships. When your emails go to spam or junk, the recipient either misses them entirely or has to root around to find them. Over time, they’ll disengage.

Improved email deliverability

Enabling DKIM improves your domain reputation with internet service providers (ISPs). When you send emails that seldom (if ever) bounce or get sent to spam, the algorithms adjust to view your domain more favorably so that your next campaigns enjoy higher deliverability.

Protection against spoofing and phishing

Adopting DKIM and its partner email protocol SPF makes it more difficult for malicious parties to pose as you. 

The email’s subject line and body are protected by a DKIM signature. When the signature is invalid or absent, this immediately flags the email as suspicious to the receiving server.

DMARC compliance

Another reason to adopt DKIM is to comply with Domain-based Message Authentication, Reporting, and Conformance (DMARC) requirements. When your recipient uses DMARC, all messages that fail the DKIM check might automatically get flagged as spam.

Challenges in implementing DKIM

There are several reasons why DKIM can fail.

Here are a few of them.

DNS Records aren’t properly set up

DKIM verifies the identity of an email’s sender by adding a signature that’s cryptographically linked to the sender’s domain.

However, if the domain’s DNS record isn’t set up correctly, DKIM can fail. This can be fixed by adding a unique “DKIM-Signature” record to the DNS record.

Incorrect or unauthorized sender

SPF records are used to determine if an email is spoofed. This means that if the email doesn’t have an SPF record or the SPF record lacks the sender’s domain, the sender ID check will fail, leading DKIM to also fail.

Similarly, if the sender isn’t authorized, DKIM will also fail as the email won’t get authenticated.

Key management

One of the top reasons why DKIM fails is simpler key mismanagement. Mixing up keys, incorrectly pasting keys, and similar errors will cause DKIM to fail. This is avoided by simply handling keys appropriately.

How do I add a DKIM record to my domain?

Generally speaking, adding a DKIM record to your domain involves going through several steps:

• Generating a DKIM key pair
• Accessing your domain’s DNS settings
• Adding a TXT record for DKIM
• Saving changes
• Verifying the DKIM setup

(Walkthrough) How to set up DKIM

The DKIM set-up process varies slightly for different mail providers, but here’s a closer look at how to set up DKIM.

Generate DKIM keys

Like we mentioned earlier, your first step is to generate DKIM keys. Most email providers like Google and Microsoft come with built-in tools for creating DKIM keys.

In Squarespace, you can do it by simply choosing your domain in the Selected domain menu (Admin console > Apps > Google Workspace > Gmail > Authenticate email > Selected domain) and clicking Generate new report. 

For other providers, follow their specific instructions.

You will need to choose the DKIM key bit length. Go for 2048 if your provider supports it as a longer key is safer. When that’s not an option, your emails will be reasonably secure with 1024.

After you obtain your public DKIM key, copy its value for the next step.

Add the DKIM record to DNS

This step is pretty straightforward. Open your domain host’s DNS setting. In the DNS records section, add a new .txt record and insert the value you copied in the previous step. 

Congratulations! You’ve set up your public DKIM key.

Note that you’ll need to wait 48 hours (or more if specified by your mail provider) before proceeding to the next step.

Configure your email server to sign outgoing emails

Again, if you’re using a server other than Squarespace, check their instructions on adding a DKIM signature to your emails. 

With Google, just go back to the Selected domain menu, choose your domain, and click Start Authentication. Then, look at the status at the top of the page. When it changes to Authenticating email with DKIM, you’re all set. 

In Microsoft 365, you simply need to toggle the option Sign messages for this domain with DKIM signatures.

And you’re set! With DKIM, your outbound emails are safer from spoofing, and mail servers are less likely to automatically block your outreach. However, any changes may need some time to take effect.

Why DKIM-only isn’t safe enough

While DKIM is a vital part of email security, DKIM only isn’t sufficient to keep your emails secure.

Here are a few reasons why:

• DKIM doesn’t validate the “From” address. Instead, DKIM only verifies that an email’s content wasn’t tampered with. Consequently, attackers can spoof the “From” address when launching phishing attacks.
• DKIM doesn’t ensure message confidentiality. Similarly, DKIM doesn’t encrypt emails, which means that anyone can intercept and read the email’s content if other protocols aren’t active.
• DKIM doesn’t protect all parts of emails. DKIM only secures the email’s body and some headers, which means other elements like the subject line can be altered without causing DKIM to fail.