What is DKIM? – IONOS

All mail servers attempt to block emails from fake senders. One of the methods to verify the authenticity of the sender is DKIM (DomainKeys Identified Mail), a concept that allows emails to be digitally signed.

What is DKIM?¶

DKIM is based on communication between the sending and receiving mail servers, the end user does not notice anything.

To put it simply, this means that the sending mail server adds a digital signature to the emails it sends. This signature is then verified by the receiving server. To do this, the latter recovers the public key corresponding to the signature of the mail server declared as the sender. In some cases, the following reasons may explain an inconsistency between the public key and the digital signature:

• Email was not sent from the mail server indicated in the email header, but from an unknown fraudulent server.
• The email was amended during transit between the “real” mail server and the recipient. So, for example, a hacker could intercept the email, modify it and then continue sending it to the recipient.

DKIM: how does it work?

To understand DKIM, it is worth looking at the different “components” of its basic concept. Below we have summarized the three main elements of DKIM records.

Hashing¶

Following a defined algorithm, a string of characters is calculated from the content of the email. It is also called the hash value. It is added to the email header. If the hash value does not match, the recipient can be sure that the email in question has been modified.

Asymmetric encryption¶

For the recipient to ensure that the hash value actually comes from the original sender, another element is necessary: ​​the digital signature. Asymmetric encryption is used for sender authentication. It is based on a pair of keys: any element encrypted with key A can only be decrypted with key B. One key is kept secret (“private key”), the other is published (“public key”) .

The procedure is as follows:

1. The sender encrypts the calculated hash value with the private key.
2. It adds the encrypted hash value to the email header as a digital signature.
3. The recipient retrieves the sender’s public key from the domain name server and decrypts the signature.
4. The recipient then recalculates the decrypted hash value: if the calculated hash value matches the decrypted hash value, the email is safe.

TXT record on name server¶

For recipient mail servers to retrieve the sender’s public key, it must be published as a TXT record in the domain’s DNS zone after DKIM configuration.

The DKIM record therefore contains the following elements:

• The version, often encoded with v=DKIM1.
• The encryption algorithm; it is always RSA (k=rsa).
• The public key (p=) ; it is a long string.
• The selector; this varies depending on the supplier. Example : default._domainkey ou k1._domainkey.

The DKIM record can usually only be viewed at the email header level. In fact, not only the domain name is required, but also the selector to be able to find her. This is generally unknown or can only be determined after extensive research.

Create a DKIM record¶

To configure a DKIM record for your own emails, you must first generate a key pair and store it in the correct place on the server. If you operate your own mail server, you can create the necessary keys and entries yourself. Alternatively, most email providers can do this for you as well.

Request DKIM keys from your email provider¶

The exact way depends on your chosen email provider, because DKIM is not supported equally by all providers : some providers only offer DKIM to businesses, other domain providers only offer keys of a certain length. Typically, DKIM keys can be requested through your email provider’s settings or admin console. If in doubt, you can contact support directly.

Create DKIM keys manually¶

To create a DKIM record, you can also manually generate the necessary key pair. For this purpose, various tools are freely available on the Internet, e.g. DKIM Record Generator from EasyDMARC. Enter a selector of your choice above (example: k1) and the desired domain on the right. Then choose the desired key length.

The generator produces a private key and a public key. The private key must be stored on the mail server, the public key must be entered in the DKIM record.

Create a DKIM entry¶

After creating your two DKIM keys, you must drop each one in the correct place. The private key must be stored on the mail server ; for the public key, it will be a Matching DNS entry for your domain. If the key pair was created by your email provider, in most cases the private key is already stored in the correct place.

If you operate your own mail server, you must deposit the private key yourself. Depending on the software you use as an MTA (Mail Transfer Agent), this process may be different.

To publish your public key, you must register it with your domain as a TXT-DNS record. For that, proceed as following :

1. Log in to your domain administration area.
2. Access DNS records.
3. Create a new DNS record of type “TXT” there.
4. Now insert your DKIM hostname in the “Hostname” field. This consists of the selector and the domain and has the following format: selektor._domainkey.exempledomaine.fr. Instead of selektorAnd exempledomaine.fruse the corresponding values.
5. In the “value” field, insert the public key.
6. Save the new entry and wait for your changes to be taken into account by the DNS (this may take up to 2-3 days).

Check DKIM record¶

You can check whether the DKIM record is publicly available using a DKIM checker, for example with the DKIM Record Lookup from EasyDMARC.

However, the easiest way is to send an email to yourself and look at the header. There you will find the entry “DKIM Signature”:

Email marketing with IONOS

Easily reach your target customers with emails with a modern design, relevant content thanks to artificial intelligence (AI) functions and GDPR compliant.

Manage your contacts

Create your emails

Personalize your shipments