What is DKIM record and how DKIM works

In this blog you will learn what is DKIM record, how DKIM works, we will learn how to analyze DKIM record logs in an email header, and how to troubleshoot DKIM record.

Watch the video

Watch this video to learn what is DKIM record and how DKIM works in the background to digitally sign the emails.

What is DKIM record

A DKIM (DomainKeys Identified Mail) record is a DNS record used to implement DKIM email authentication for a specific domain. It contains information necessary to verify the authenticity and integrity of emails sent from that domain. The DKIM record is a CNAME record that resides in the DNS settings of the domain.

If we go by definition, DKIM record is an email security standard which is designed to make sure that emails are not altered during transmission between source to destination. As soon as an email is sent from the sending email server, DKIM signs that email using a private key. DKIM record adds digital signatures within the email header and even if email is forwarded to a different organization, the signatures will be preserved with in the email header.

The DKIM record is a CNAME record that resides in the DNS settings of the domain. It typically includes the following components:

  1. DKIM Selector: A selector is a unique identifier that helps distinguish between multiple DKIM keys associated with the same domain. It allows different services or systems within the domain to have their own DKIM keys. The selector is specified as a subdomain in the DKIM record, such as selector._domainkey.example.com.
  2. DKIM Public Key: The DKIM public key is a cryptographic key used to verify the digital signature on outgoing emails. It is generated together with a corresponding private key. The public key is included in the DKIM record, and it enables the recipient’s mail server to verify the authenticity of the emails from the domain.
  3. DKIM Signing Algorithm: The DKIM signing algorithm specifies the cryptographic algorithm used to sign the outgoing emails. The most commonly used algorithm is RSA.

How DKIM works

To enable DKIM (DomainKeys Identified Mail) for a domain, we add 2 CNAME records in our public DNS. These CNAME records are used as a public key by the recipient email servers to verify if the email’s body was changed during the transmission. Once the signatures are verified by the recipient email server, DKIM will pass and the email is treated as authentic email.

Let’s assume that we have 2 organizations ABC.COM and XYZ.COM, and ABC.COM organization has added DKIM records in their public DNS. When an organization enables DKIM for their domains, the private key is securely stored on Microsoft servers and all the emails sent from that organization are digitally signed using this private key. When ABC.COM organization will send an email, during this process this email will be digitally signed with DKIM signatures. When XYZ.COM email server will receive this email, the recipient server will extract DKIM signatures from the email header and will reach public DNS.

dkim record

XYZ.COM email server will ask DNS for the Public Key which is published by ABC.COM domain. Once recipient email server has the public key, the recipient server will validate the email using the public key. If the email validation is successful, DKIM will pass, and if the email was altered during its transmission, DKIM will fail.

How to create DKIM record

Now let’s understand how we can create DKIM records. Below you can see the syntax of DKIM record. 

Host name: selector1._domainkey Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain>

Host name: selector2._domainkey Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain>

Before we create a DKIM (DomainKeys Identified Mail) record, we should be aware of the MX value for the domain you want to enable DKIM. And the second value that we need is Office 365 initial domain name. For this demo, I will be enabling DKIM for office365concepts.com domain, that has MX value office365concepts-com.mail.protection.outlook.com, and the initial domain for my tenant is o365.onmicrosoft.com.

To create DKIM record, we will replace domain_guid with the domain name as it is showing in MX record. For example, office365concepts-com, and Initial_Domain will be replaced with your initial domain name.

dkim dns record

Go to your public DNS portal, and add 2 CNAME records for these selectors. Once you have these DKIM values, you are ready to add them within your public DNS. And once you publish DKIM records in your public DNS and when DKIM is enabled for your domain, all of the outgoing emails will be digitally signed using the private key.

How to analyze DKIM logs in email header

Let’s understand how we can analyze DKIM logs in email header.

If you analyze an email header that is signed with DKIM signatures, you will see values similar to below image:

dkim in email header

These header values are added within the email when your outgoing emails are digitally signed with the DKIM private key.

Now let’s break this header and let’s understand what these values mean.

DKIM-Signature indicates that the email is digitally signed using DKIM private key.
V=1 indicates the version of DKIM being used by the server that has sent this particular email.
A=RSA-SHA256 indicates the algorithm which is used to sign this particular email. There are 2 supported signature algorithms to sign emails, RSA-SHA1 and RSA-SHA256.
D= indicates the domain name that has signed this particular email.
S=selector1 indicates the name of selector that will be used by the recipient server to validate this email.

Manage DKIM record using PowerShell

Here are some PowerShell commands you can use to manage DKIM record using PowerShell in Exchange Online:

#View the current DKIM configuration for a domain#

Get-DkimSigningConfig -Identity "yourdomain.com"


#Enable DKIM for a domain#

Enable-DkimSigningConfig -Identity "yourdomain.com"


#Disable DKIM for a domain#

Disable-DkimSigningConfig -Identity "yourdomain.com"


"Set the DKIM selector for a domain"

Set-DkimSigningConfig -Identity "yourdomain.com" -Selector "selector1"


#Set the DKIM signing domain for a domain#

Set-DkimSigningConfig -Identity "yourdomain.com" -SigningDomain "yourdomain.com"

Troubleshoot DKIM record

If you’re experiencing issues with your DKIM record, here are some troubleshooting steps you can follow:

  1. Verify DKIM Record Configuration:
    • Check the DKIM DNS record for your domain and ensure that it is correctly set up.
    • Confirm that the selector used in the DKIM record matches the selector specified in your DKIM signing configuration.
    • Ensure that the public key in the DKIM record matches the corresponding private key used for signing outgoing emails.
  2. Check DNS Propagation:
    • After making changes to the DKIM DNS record, allow some time for DNS propagation to take place. It may take up to 24-48 hours for the changes to propagate fully.
  3. Validate DKIM Signature:
    • Use online DKIM validation tools to verify the DKIM signature on outgoing emails. These tools can help identify any issues with the DKIM configuration or record.
  4. Review DKIM Signing Configuration:
    • Check the DKIM signing configuration in your email service provider or mail server settings.
    • Ensure that DKIM signing is enabled for your domain.
    • Verify that the correct DKIM private key is being used for signing.
  5. Check SPF and DMARC Records:
    • SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records work in conjunction with DKIM to authenticate emails.
    • Confirm that your SPF and DMARC records are correctly configured and align with your DKIM settings.
  6. Monitor Email Deliverability and Spam Filters:
    • If emails are not being delivered or are landing in recipients’ spam folders, it could be due to DKIM-related issues.
    • Check the email deliverability and review spam filter settings to ensure that DKIM authentication is properly passing.
  7. Review Logs and Error Messages:
    • Check the logs or error messages in your email service provider or mail server for any DKIM-related errors or warnings.
    • Look for specific error codes or messages that can provide insights into the cause of the issue.

Conclusion

In this blog you learnt what is DKIM record and how DKIM works. You might like other articles on How SPF record works and How to troubleshoot Exchange Online Mail Routing.

If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments below. Please join us on our YouTube channel for the latest videos on Cloud technologies and join our Newsletter for the early access of the blogs and updates.

FAQ

What is DKIM record?

DomainKeys Identified Mail (DKIM) is an email security standard which is designed to make sure that emails are not altered during the transmission from source to destination.

How DKIM works?

As soon as you send an email, DKIM uses public-key cryptography to sign that email with a private key. The recipient server uses the public key of the DKIM record to validate the signatures. If validation is successful, DKIM passes else it fails.

What is the difference between SPF and DKIM?

SPF record validates the sending server against the IP address or the Fully Qualified Domain Name (FQDN) mentioned within the SPF record of the sender’s domain. Whereas DKIM signs the emails with digital signatures to make sure the emails are not altered within the transmission.

Does DKIM encrypt emails?

No. DKIM only signs the emails digitally. It doesn’t encrypt email content. If your requirement is to encrypt email content, then you should use Office 365 Email Encryption (OME) or SMIME.

Happy Learning!!