DKIM Setup Guide
Configure DKIM to add cryptographic signatures to your emails, ensuring integrity and authenticity.
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized mail server and has not been modified in transit. The sending server signs emails with a private key, and receiving servers verify the signature using the public key published in DNS.
How DKIM Works
Generate Keys
Create a public/private key pair
Publish Public Key
Add TXT record to DNS
Sign Emails
Server signs with private key
Verify Signature
Receiver checks with public key
DKIM Record Format
A DKIM record is a TXT record published at selector._domainkey.yourdomain.com. The selector is a unique name that identifies this key.
| Tag | Required | Description | Example |
|---|---|---|---|
| v | Required | Version (always DKIM1) | v=DKIM1 |
| k | Optional | Key type (default: rsa) | k=rsa |
| p | Required | Public key (base64 encoded) | p=MIGfMA0GCS... |
| t | Optional | Flags (y=testing, s=strict) | t=y |
| h | Optional | Acceptable hash algorithms | h=sha256 |
| s | Optional | Service type | s=email |
| n | Optional | Notes (human readable) | n=DKIM key for marketing |
DKIM Signature Header
When an email is signed, a DKIM-Signature header is added to the message with these components:
| Tag | Description | Example |
|---|---|---|
| v | DKIM version | 1 |
| a | Algorithm (signing + hash) | rsa-sha256 |
| d | Signing domain | example.com |
| s | Selector | selector1 |
| h | Signed headers | from:to:subject:date |
| bh | Body hash | base64... |
| b | Signature | base64... |
Provider-Specific Setup
Most email providers handle DKIM key generation and signing for you. Here is how to enable DKIM for common providers:
Google Workspace
- 1Go to Admin console → Apps → Google Workspace → Gmail
- 2Click 'Authenticate email' under DKIM authentication
- 3Select your domain and click 'Generate new record'
- 4Add the TXT record to your DNS
- 5Click 'Start authentication' once DNS propagates
Microsoft 365
- 1Go to Microsoft 365 Defender → Email & collaboration → Policies
- 2Select 'Email authentication settings'
- 3Choose your domain and click 'Create DKIM keys'
- 4Add the provided CNAME records to DNS
- 5Enable DKIM signing for the domain
Amazon SES
- 1Go to SES console → Verified identities
- 2Select your domain → Authentication tab
- 3Under DKIM, click 'Edit'
- 4Choose Easy DKIM and select RSA_2048_BIT
- 5Add the 3 CNAME records provided to your DNS
Key Rotation
DKIM keys should be rotated periodically (recommended: every 6-12 months) to maintain security. When rotating keys:
- Generate a new key pair with a different selector
- Publish the new public key in DNS before switching
- Keep the old key published for a few days after switching
Best Practices
- Use 2048-bit RSA keys for stronger security (1024-bit is minimum)
- Sign important headers: From, To, Subject, Date, Message-ID
- Use descriptive selector names (e.g., google2024, ses-main)
- Enable DKIM for all email services that send on your behalf
- Monitor DKIM alignment in DMARC reports
Common Issues
DKIM signature not found
Verify the mail server is configured to sign outgoing messages
DKIM signature verification failed
Check if the public key in DNS matches the signing key, and verify DNS propagation
Body hash mismatch
Email content was modified in transit. Check for mailing list software or security gateways that modify messages
Selector not found
Verify the DNS record is published at the correct location (selector._domainkey.domain.com)