This article explains:
- What is a DKIM Record?
- How to set up a DKIM record for a domain?
- How can I add to a DKIM record?
- How to create multiple DKIM records?
What is a DKIM Record?
DKIM, like SPF, is an open standard for email authentication that is used to align DMARC records and is stored in the domain’s DNS record, but it is a bit more complicated than SPF.
DKIM adds a signature header to emails and secures them using a public/private key pair and a certificate. This DKIM signing acts as a watermark for email, allowing recipients to verify that the email originated from the domain indicated and was not tampered with.
Each DKIM signature is encrypted with a pair of DKIM keys and contains all the information necessary for an email server to verify that the signature is genuine. The sending email server has a “private key,” which can be verified by the receiving mail server or Internet service provider using the other half of the keypair, referred to as the “public key.” The public key is stored as a text file in the DKIM record for your domain’s DNS.
A DKIM selector is used to connect and decrypt these encrypted signatures. Additional information about DKIM selectors, including how to determine which ones your domain uses, is available here.
How to set up a DKIM record for a domain?
Make a list of all domains and sending services (such as marketing campaign platforms or invoice generators, which are referred to as ESPs) that are allowed to send emails on your behalf. Contact them and tell them you need DKIM configured and a copy of the public key.
Produce the key pairs. Here are a few possibilities:
- If your organization maintains its email server, it may already support DKIM. Examine the available documentation regarding the generation of public/private keys and the creation of policy records (or check in with your IT staff who are responsible for the server).
- There are a variety of third-party tools available for creating the DKIM entry. It is recommended that you consult your organization’s security policy before utilizing third-party tools.
- An open-source project known as opendkim can be used to generate keys without the involvement of a third party.
- DKIM keys can also be generated using openssl.
How can I add to a DKIM record?
- Publish your public key as a text (TXT) record in your DNS record. Check your DNS provider to identify whether they permit input fields with more than 255 characters, as you may need to work with your provider to increase the size or create the TXT record itself.
- The private key should be saved to your SMTP server / MTA (mail transfer agent).
Can I create multiple DKIM records?
Yes. A domain may contain as many DKIM records for public keys as it has mail servers. Simply ensure that they use unique selector names.
How to create multiple DKIM records?
By creating a TXT record for the hostname in the DNS, we can publish a public key. The selector, the literal string ._domainkey, and the token are concatenated in this manner.
For instance:
hostname._domainkey.mydomain.com
The following example shows how to generate a key pair using the openssl command-line tool:
penssl genrsa -out mydomain.com.priv 1024
openssl rsa -in mydomain.com.priv -pubout >mydomain.com.pub
Concatenating “v=DKIM1;t=s;n=core;p=” and the public key creates the TXT record’s content. Alternatively,
v=DKIM1;t=s;n=core;p=<THE NEWLY GENERATED KEY>
Semicolons can be avoided in the nameserver configuration file depending on the nameserver.
The above solution will help you to create multiple DKIM records per domain. If not, our technical experts will help you. Contact Us.