Of the current email authentication mechanisms, SPF, DKIM, and DMARC, DKIM seems to be the most confusing for people. What is a DKIM selector? What are the DKIM tags? How does one create a DKIM record? Is there a good DKIM record generator? Here is a plain English explanation of DKIM, and a breakdown of the anatomy of a DKIM record.

DKIM, which stands for DomainKeys Identified Mail, is one of the three major authentication mechanisms which help to protect email receivers from accepting forged (spoofed) email, and which help to protect email senders from being spoofed. Without such authentication mechanisms, unsuspecting recipients of a spoofed email can be blinded to the fact that a legitimate-looking email that seems to be from their banking institution is really a cleverly disguised phishing email that will steal their credentials and transfer all their money away. When email first became available to everyone, it was really pretty easy to spoof an email like this.

About 20 years ago, concerned about of this vulnerability in the architecture of email, two proposals took shape: Yahoo’s DomainKeys and Cisco’s Identified Internet Mail. Both proposals were based in the use of public key cryptography, which in this context is a method that enables the author of an email to create a verifiable signature that allows anyone to verify that whatever was signed with that verifiable signature wasn’t altered. Looking for broad industry support, in mid-2005 a consortium of Internet companies submitted to the IETF (Internet Engineering Task Force) the draft for the “DomainKeys Identified Mail – DKIM” specification.

DKIM evolved from the works of Yahoo and Cisco, and kept backwards compatibility with the original DomainKeys published data, so as to ensure an ever-increasing adoption rate. Since then, DKIM has been supported by the largest ISPs and mailbox providers, who regularly include its authentication results in their mail processing workflows and, importantly for you, in their inbox placement and spam filtering algorithms.

In conjunction with DKIM, something called ADSP or “Author Domain Signing Practices” was created to allow for a mechanism to signal to the receiving ISPs and inbox providers that they should expect to see a DKIM signature from the sender. As DKIM.org explained it at the time, “Author Domain Signing Practices (or just ‘practices’) consist of a machine-readable record published by the domain of an author which includes statements about the domain’s practices with respect to mail it sends with its domain in the From: line.”

As you may have guessed (although it’s ok if you didn’t, we get that a deep dive into this stuff isn’t everybody’s cup of tea), ADSP has been absorbed into and replaced by DMARC.

How exactly does DKIM Work?

DKIM takes advantage of public key cryptography (hence the ‘K’ in DKIM). Public key cryptography uses a pair of keys to perform its magic. One key, the “private key”, is kept safe by the administrator of the email author’s email server. It cannot be shared in any way because whomever has this key will be able to sign email messages on behalf of the author; in other words it allows them to claim to be the author who actually holds that private key.

For example, if someone got hold of the DKIM private key for `isipp.com`, then that person could send out email claiming to be from `isipp.com` – this would essentially be stealing ISIPP’s email identity, and this is why organizations must be very careful about how their private DKIM key is stored.

The counterpart to the DKIM private key is the DKIM public key. The public key provides anyone with the means to verify that a signature made with the corresponding private key is valid, and that the DKIM-signed contents haven’t been tampered with. As its name implies, the public key is, well, public. This means that it can and should be disseminated as widely as possible. To publish and disseminate the public keys, DKIM uses DNS. This means that any party that wants to validate a signature can easily find the public key in the sender’s DNS records.

(Note that when DKIM is deployed in conjunction with Domain Name System Security Extensions (DNSSEC), the combination of DKIM plus DNSSEC provides a very strong mechanism to protect against spoofing, and so this is considered best practice for organizations such as financial institutions that are likely to be spoofed. DNSSEC also uses public key cryptography, as well creating a “chain of trust” to confirm the ownership and contents of a DNS record. However even without DNSSEC, DKIM is an effective authentication mechanism.)

DKIM from Send to End

When an email sender whose email sending system has DKIM set up hits ‘send’ on an email, their email sending program calculates a cryptographic signature using their private DKIM key. That cryptographic signature is inserted in the outgoing email header, and the message is then sent on to the recipient. At any point along the way any of the email servers through which that email passes can validate that signature using the public key, as can of course the receiving system at the other end. If any part of the message covered by the signature seems suspicious, the signature won’t validate.

This means that spoofed email won’t authenticate, because it does not carry a valid DKIM signature. Using DMARC, it’s possible to tell the receiving system what to do with email messages like this that don’t pass validation; typically you would tell the receiving system on the other end to reject a non-validating message.

How to Set Up DKIM

At this point you can read on to learn all the details of how to set up DKIM and how to create a DKIM record for yourself. Or, if you prefer, you can check out EasyDmarc.com’s free DKIM generator wizard here.

Most email infrastructure elements (Mail Transport Agents, filters, etc) support DKIM directly or via software libraries or utilities that can be deployed. DKIM.org has an up-to-date list of tools that can be used for deployment using a variety of elements.

Regardless of your mail sending architecture, outbound messages will need to pass through a filter that will generate the corresponding signature and store it in the email header as explained above. This is an example of one such set of headers:

h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=

As you can see, this DKIM header is composed of fragments separated by a semicolon. These fragment are also known as “tags”, and the purpose of each fragment is as follows:

* `v=1`: This indicates the DKIM version in use. For the time being this must be “v=1”.

* `a=rsa-sha256`: The algorithm suite that was used to generate the crypto signature. The current specification defines `rsa-sha1` and `rsa-sha256`. The latter is recommended. Note that while the specification leaves room for defining other algorithms, using an algorithm not known to an ISP negates the effect of using DKIM in the first place because the recipient is required to ignore unknown signatures.

* `c=relaxed/relaxed`: The “canonicalization” scheme used to pre-process the headers prior to calculating the crypto signature, to protect against small (and normal) transformations that the headers could be subjected to in transit, such as line folding. The specification provides for two algorithms: “simple”, which means don’t change headers in any way; and “relaxed” that normalizes the headers dealing with character case, whitespace folding and line breaks to try and be more robust when headers are changed in transit. Note that the `c=` fragment defines two algorithms. One is used for processing the headers covered by the signature, the other is used for processing of the message’s body.

* `d=isipp.com`: The domain name of the organization that claims responsibility for issuing this DKIM signature – in this example that is isipp.com. Typically the signing organization is either the ESP sending on behalf of a customer or the email author (domain) itself. Note that a sender responsible for various mail streams can use separate signatures thanks to the “selector”, discussed below.

* `s=sel42`: The “selector” used to find the corresponding public key to validate the signature. The DKIM validator will fetch the public key by issuing a DNS query for the TXT record for that sender. That DNS TXT record will be located at


* `t=1399817581`: The UTC timestamp of signature creation, expressed as the number of seconds since 00:00:00 on January 1st, 1970 (Unix Epoch time).

* `bh=Pl25…dcMqN+E=`: A crypto hash of the body part of the message. Note that an author can choose to protect only a part of the content, by using `l=` to specify the number of octets to consider for generating this hash. This is often used in scenarios where a very large number of signatures must be done and the processing cost of signing the whole messages is prohibitive. Note that by not covering the complete contents, it would be possible for the message to be tampered with without detection.

* `h=Message-ID:Date:Subject:From:…`: The colon-separated list of header lists that were signed. This allows the sender to omit headers that will be changed or stripped by expected mail handling while including headers that are relevant, such as message identifiers, source and destination address, abuse handling information, etc.

* `b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=`: The crypto signature data itself, encoded in Base64 and possibly with whitespace inserted to conform to line length limitations.

If you want to get into the truly technical nitty-gritty, RFC-6376 §3.5 contains a detailed description of all the fragments and flags that can be added to customize the extent of protection that DKIM provides through its signatures.

How to Publish DKIM Public Keys

The first step towards publishing DKIM public keys is deciding on your key rotation schedule. Private keys, and the corresponding public keys, should be rotated out of use periodically to limit the possibility of a compromised or broken key being used. Common practice involves rotating the keys at varying intervals. Some organizations rotate keys weekly, while other organizations can go up to a year or more before changing their DKIM keys.

DKIM key rotation is actually very simple thanks to the introduction of the key selectors (the `s=` tag or fragment in the DKIM signature header). The key selector allows introducing new keys at any point, while keeping the old keys around for a prudent period of time so that all in-transit messages have time to be processed and delivered correctly.

As mentioned above, DKIM public key data is published in the DNS record. It’s typically published as a TXT record that looks like this:

selector._domainkey.isipp.com IN TXT “v=DKIM1;p=MIG..(big long strong of characters)..QIDAQAB”

Where the following parts are defined:

* `v=DKIM1`: This optional fragment identifies the record as a DKIM version 1 public key.

* `p=MIG..(big long strong of characters)..QIDAQAB`: This fragment contains the public key in Base64 encoding.

(RFC-6376 §3.6.1 contains a detailed description of all the fragments and flags that can be added to the DNS record.)

To add a new key, simply assign it a new selector and configure your DKIM signing component to start using the new key. As long as the old public key data remains in the DNS, all in-flight email will still pass validation. New messages will be using the new selector and therefore will validate using the newly added key.

It’s very important that whenever you add a new key record to the DNS, you verify that each name server is returning the correct data when queried for the new selector.

After a reasonable time – for example think about the largest interval that a message can sit dormant in a mail queue and then multiply it by 3 – you can safely remove old DKIM public keys from the DNS.

Disposing of Obsolete or Deprecated DKIM Private Keys

As explained above, if anyone is able to get a copy of your private keys, they will be able to sign messages as you. These signatures will appear legitimate to third parties as long as those DKIM public keys are published in your DNS.

In general, you should make sure that all previous copies of the private keys are destroyed. This includes backups and system images used for QA or other purposes. Sometimes overwriting the private key with zeroes and waiting for a full backup media cycle (i.e., when all forms of media have been overwritten with the new data) can be an effective method.

Once this process has completed, the overwritten private key can be removed.

The public key should be removed from your DNS as soon as the wait time for in-transit messages has elapsed. This ensures that even if an attacker got hold of the private key, they are unable to trick anyone into accepting forged messages.

It’s not considered good practice to keep copies of obsolete key material around, for any purpose. Keys must be destroyed after their lifecycle has expired to prevent misuse.

DKIM: The Most Confusing of the 3 Authentication Mechanisms Explained in Plain English

Let us help YOU get to the inbox like we've helped these others!

8 Responses

    • The private key is used by the DKIM software to compute a crypto signature of the message and some of its headers that can then be validated using the public key.

      On most cases, as each message is presented to the message sending software, the corresponding DKIM signature is calculated using the private key and added to the message in an email header.

  1. The private key is used by the DKIM software to compute a crypto signature of the message and some of its headers that can then be validated using the public key.

    On most cases, as each message is presented to the message sending software, the corresponding DKIM signature is calculated using the private key and added to the message in an email header.

  2. We have applications which is sending emails on behalf of our domain. How do we set up DKIM for those emails relayed from applications that are authenticated to send emails on domain’s behalf.

  3. We have Exchange Server 2010 on-premises for our emails but our emails are routed through our ISP. So, do we have create DKIM record in our DNS or in our ISPs DNS. Also, how we can create a private key & public.

  4. You didn’t give an example of a reasonable time to wait to safely remove old DKIM public keys from the DNS. Based on your guidance, I think an email recipient or middleman server might keep an email in a queue for up to a week in the event the ultimate recipient server is unreachable before giving up. So, that makes 21 days for the reasonable time. As the expert in this domain, do you agree that 21 days is reasonable?

    • Hello, Brent, our specialist says to consider the longest you have observed a bounce to happen, and then multiply by two; they usually recommend a week. Note that this is for actual bounces (the user doesn’t exist, etc.), not for other reasons for delivery failures such as non-delivery reports (NDRs) which indicate a systemic failure, not a user-specific failure.

  5. I’m looking to find out the physical application of the private key, not what it does but specifically where it gets stored, what location on the server, what folder, how does it get pointed to if the public key is in the DNS? Is it stored as a .cer file or .pub and is it in the root of windows, etc. TIA.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are ISIPP SuretyMail, the original certified sender program and email deliverability service. Learn more here
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Filter by Categories
Blocklists and Blacklists
Content Issues
Email Authentication
Email List Building
Feedback Loops
Mailing List Hygiene
Monitoring and Tracking
Opt-in Practices
Our News
Privacy & Email Laws
Sending Practices
SMS Marketing
Spam Complaints
Technical Stuff
The Industry
Need Help Getting to the Inbox?
If you need help getting out of the spam folder and into the inbox, we're here for you. Our deliverability services come with a personal touch, and we get results. That combination has created customer loyalty that's nearly unheard of. (testimonials)
Read what we'll do for you here.

Join our email community and get
How to Stay Out of the Spam Folder 
& How to Grow Your Email List free!

 Get to the Inbox by SuretyMail
The Original Email Deliverability Company

Free stuff!
Skip to content