DKIM - What It Is, How to Set It Up, and Why It’s Important

DKIM is an email authentication protocol that can bring you higher open rates for your email outreach.

The added security DKIM offers increases your chances of landing in the inbox.

In this guide, we’ll provide all you need to know about DKIM:

• What DKIM is
• Why you need it if you’re doing email outreach
• How to set it up
• And we’ll answer the most common questions regarding DKIM

What Is DKIM? 🪪

DKIM means DomainKeys Identified Mail.

It’s an email security protocol that primarily checks if an email has been tampered with during transit.

Additionally, it verifies if the email sender is authorized to send from that sending domain, providing an extra layer of security and trustworthiness.

Authentication takes place through two cryptographic keys.

The first is the public key, which is part of your DKIM record, and the second is the private key only ESPs can access.

The sending email server adds a signature to any outgoing email, which the receiving server can validate using the DKIM record associated with the sending domain.

To understand DKIM better, read our articles on what DKIM is and on how DKIM works.

What is a DKIM Record?

A DKIM record is a line of text you must add to your domain’s DNS records. It contains the public cryptographic key used for authentication.

The DKIM public keys are made available by your email server provider.

They normally have an option to generate a DKIM string/Public key.

You must then have to add that line to your domain provider’s DNS settings to create the DKIM record.

The complete record should look like this:

subdomain.yourdomain.com. | CNAME | uXXXXXXX.wlXXX.youresp.com

The first field is your DKIM selector, the second field is the DNS record type (CNAME in this case, but it can also be a TXT record), and the last part is the public key, which your provider supplied.

Why Do You Need to Set Up Your DKIM?

You need to set up your DKIM to:

1. ➡️ Verify your sender identity: DKIM checks if emails are genuine and haven't been tampered with, preventing email spoofing and forging.‍
2. ➡️ Boost your sender reputation: Setting up your DKIM ensures that your emails are delivered, protects your sender reputation, and helps you avoid spam.‍
3. ➡️ Prevent bad guys from abusing your sending domain: Without DKIM, it’s easier for criminals to use your email to commit cyber crimes like phishing attacks.
4. ➡️ Comply with security rules: DKIM works with other DNS records like SPF and DMARC to protect your email, ensuring you follow industry or regional authentication standards.

How to Set up a DKIM Record 📝

DKIM reduces your chances of landing in spam because it confirms you're the real sender and not a spammer.

Setting up a DKIM usually starts with your email provider.

It’s there where you must generate the DKIM key.

The next step is to add the key to your domain DNS records. Every domain provider has a setting for this.

Once added, you can go back to your email provider's account and enable DKIM.

For more specific instructions check out our guide on how to set up DKIM.

It offers step-by-step guidelines for:

• ➡️ Setting up DKIM for Google Workspace
• ➡️ Setting up DKIM on GoDaddy
• ➡️ Setting up DKIM on Namecheap
• …and more email and domain providers.

Common DKIM questions

1. What is the DKIM email authentication key? 🔑

In DKIM, the email authentication "key" refers to a pair of cryptographic keys: a private key and a public key.

1. 🔐 Private Key: This is kept secret by the sending server. Every sender's emails are signed with this key.
2. 🗝️ Public Key: This is published in your DNS records as a sender. Your audience's server retrieves this key to verify the digital signature attached to your email.

When your DKIM is correctly set up, the sending server signs the email using the private key.

When the email is received, the receiving server finds the corresponding public key in the DNS records of the sending domain and uses it to verify the digital signature.

If the signature is valid, it indicates that your email is legitimate and helps you avoid spam.

2. Can You Have Multiple DKIM Records?

Yes, you can have multiple DKIM records for a domain.

This is often necessary if you use multiple email service providers.

Each provider will have its unique DKIM signature, and you'll need to add each one to your DNS.

3. How to set up multiple DKIM records? 📝

Multiple DKIM records are typically used when you have different sending sources or third-party services that send emails on behalf of your domain. Each sender or service can have its own unique DKIM selector and corresponding record.

Here's how to set up multiple DKIM records:

1. Determine the Need for Multiple DKIM Records:

You might need multiple records if you're using various email services (like Mailchimp, SendGrid, etc.) or multiple internal sending systems, and you want each to have its own DKIM signature.

2.  Choose a Selector for Each DKIM Record:

The selector is a string used to differentiate between different DKIM records in your domain's DNS. For example, if you use Mailchimp and SendGrid, you might choose selectors like Mailchimp and Sendgrid.

3. Generate the DKIM Keys:

Most third-party email services will provide you with the necessary DKIM information to set up your DKIM record. If you're setting it up internally, you'll need to use tools or software to generate the DKIM key pair.

4. Add DKIM Records to DNS:

With your selector and DKIM information in hand, you'll create TXT or CNAME records in your domain's DNS.

The name of the record typically follows the format: selector._domainkey.yourdomain.com.

The value of the TXT record will be the public key provided by the email service or generated by your tool.‍

5. Test the Setup:

After setting up the DKIM records, it's a good idea to send test emails to ensure they're being correctly signed and that recipients can validate the signatures.

6. Rotate and Maintain:

For security reasons, periodically rotate your DKIM keys. This involves generating new keys, updating your DNS records, and updating the sending service to use the new private key.

By following these steps for each sending source or service, you can maintain multiple DKIM records for a single domain, enhancing the deliverability and trustworthiness of the emails you send.

4. What is the difference between SPF and DKIM? ⁉️

While both aim for secure email communication, their mechanisms and purposes differ. Both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are technical settings that help you verify your identity as a sender.

What's the difference in their purpose?

SPF ➡️ This method allows the domain owner to specify which servers are sanctioned to send emails for a domain.

DKIM ➡️ Using cryptographic signatures, DKIM ensures that an email is genuinely from the claimed domain and that its data remains unchanged in transit.

What's the difference in their mechanism?

SPF ➡️ The domain owner lists authorized servers in DNS using a TXT record. When the recipient's server receives an email, it queries this record to verify if the email came from an allowed server.

DKIM ➡️ The sending server appends a DKIM-signature header field to the email. This signature is a hash created using a private key. The recipient, or verifiers, retrieve the domain's cryptographic public key from the DNS to validate this signature.‍

What's the difference in their fields and selectors?

SPF ➡️ This method operates based on the "MAIL FROM" domain.

DKIM ➡️ The DKIM header contains several tags. One crucial tag is the "selector" (often called the DKIM selector), which helps the receiver locate the appropriate DKIM record in the DNS for signature verification.‍

What's the difference in their limitations?

SPF ➡️ It checks only the envelope sender, not the visible "From" header, potentially allowing some spoofing instances.

DKIM ➡️ While it verifies the integrity of the email content, it doesn't inherently specify which servers are authorized to send emails from the domain.

Other Components of Your Technical Setup 🧩

As you probably know, with just a DKIM record, your technical setup isn’t complete yet.

You also need to set up your:

• SPF records
• DMARC records
• MX records
• Custom Tracking Domain

A well-configured technical setup will help you stay out of the spam folder.

Use our email authentication checker to check if your authentication records are in order.

Finally, another must-do is email warm-up.

If your email address or sending domain is new, it lacks a good sender reputation to get acceptable open rates.

Email warm-up services like lemwarm warm up your email by gradually increasing sending volume and frequency.

All of lemwarm’s features have been designed to help you land in the inbox.