The DKIM Record
is a mechanism to verify the source of a message. It uses public-key cryptography to sign the contents of your email so that anyone who receives it can check whether it has been tampered with in transit. The DKIM record syntax of your TXT record Name is selector._domainkey.example.com. In our example, the selector is the DKIM-signer, which means that we’re signing for the domain example.com.
What is a DNS DKIM Record?
A DKIM record is an entry in your DNS that tells other mail systems how you want your mail to be authenticated. It includes information like your record name, how long you want the record to live, and what key you want to use.
If a sender wants to send you an email message with DKIM authentication, they will generate an encrypted hash of their message. They then include this cryptic code as part of the header when they send it out so recipients can verify whether or not the message has been tampered with since it left the sender’s server.
How does DKIM authenticate emails?
DKIM uses public key cryptography to digitally sign each outgoing email message with its own private key, which is then verified by the receiving server with its public key. The signing process adds a DKIM Signature header field to your email headers which includes information about the email’s source and destination domains, along with a hash of the original message body together with some other details about how it was encrypted and signed.
The receiving server then decodes this information using its public key and compares it against any signatures it has cached for those domains in order to verify whether or not they match up.
Breaking down the DKIM Record Syntax
Let’s first take the example of a DKIM record:
Record Name | Type | TTL | Record Value |
selector._domainkey.example.com | TXT | 3600 | v=DKIM1;p=QUFBQUIzTnphQzF5YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQrMmhNNktxdjhYdEFJRXBpNjFFTEVXMVB0UmpSbkMrTm1FcFhvNUhuR1FPZFRXTGhYUFZVN0d5VWRUYUFVQ01pWEtrUDJHVXFVbHRQRXdvZU5QQVVQU09xQTg2Z1c3Q3o5dEh3czBTalp3alllMUxNWWxHVEQ3SjhJQnpCS2dVMmp5ZFJvVGEzbEp1N1l3czZiU1BMclFoN24wUT09IA== |
Record Name: The Name field in your DKIM record syntax is made up of two parts: a DKIM selector and a domain. The selector is a unique string that identifies the sending domain and helps locate the public key published on the domain’s DNS during a DKIM lookup, and it must be unique across all DKIM signing domains. The domain is the address of your DNS record.
Record Type: This field refers to the resource type of your DKIM record syntax. It may be TXT
(text) record, it can also be a CNAME (canonical name) record depending on your provider.
TTL: The time-to-live for your record, measured in seconds, is the amount of time the record remains valid per session before it expires or gets refreshed.
Value: Finally, the DKIM value is your public key that is matched against your private key (the signature key in your email header) to authenticate your emails.
DKIM Email Header Debunked
v=DKIM1; a=rsa-sha256;
d=example.com; s=s1;
h=from:to:subject;
bh=YzJFQUFBQURBUUFCQUFBQWdRQ1kwK3piQ0NlSURzOHYvYTQ=; b=AptMld5a1djOUJva1hKWjBkYys5MW5FVXNYRUNvSXJZK0pSdGhVaDRDekNjZ2dEQWJ6RFl1QmVWNkgvN3l1M3drdVllSjVjK0gKSHdKQUtzSk1NNDNBZzdLUERXNFZ0K0lqa3pXWStKck56b3UvalFQbGk1M3MxVTF2c0krOElFSW80ci9xM3ZHd3crc2xOdmRjCkc5L1hnZWlvajJMaktJaHN5QT09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
DKIM tag | Description |
v | The version of DKIM in use. The value is always 1, which is the latest version in use. |
d | The domain name of the email sender |
h | the email headers used to formulate the DKIM signature (Mail from: Mail to: and Subject headers) |
bh | The DKIM body hash value (bh= tag) is the actual value of the body hash, which is computed from the body of the message. This value is then stored in a specially formatted header within the message that has been signed by DKIM. The body hash value is used to prove that the message has not been altered since it was signed by DKIM. |
b | Your DKIM digital signature that contains your DKIM private key. |
A DKIM signature is a digital signature (b= tag) that can be used to verify the authenticity of an email message, as well as its content.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
Video - PowerDMARC Aggregate Reports Free2 m 13 s- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s