What is required for a DKIM signature?
DomainKeys Identified Mail (DKIM) is a digital signature added to outbound emails. It looks like a random set of characters mostly unreadable to a human user. Recipients don’t see this unless they dig into the source code of the email. DKIM is meant for the recipient’s email server, which authenticates the sender based on it and, if everything seems to be fine, lets pass the email to the mailbox. Here is an example of a regular DKIM record:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=asuswebstorage.com; s=default; t=1572282571; bh=NFzBvJ/pEmf+yUHDd/Y7dYNH9pE+Bx6o95KcxhwFL78=; h=From:To:Subject:From; b=QwgINKqwcBu3GbeWm2Be81qXks6Pq9yMmDZl9C6mT8moXVBeokpEmDN+0RyZFiOmNH30kbe6HbS2lY3b1Pf726UH/V/0VAH0nigTuir4TWdN/IUePV+goQdEJ2+sDQ1fHlVjyyJCRwCiFiZpBIjhTBNN0vrgNJZ/gSLLOvq6k3s=
It consists of the following tags:
v=1
– the version (always equals to 1)a=
– a signing algorithm used for the creation of a DKIM recordc=
– a canonicalization algorithm for the header and the bodyd=
– a domain where the DKIM is signeds=
– a DKIM selectort=
– a timestamp of when the email was signedbh=
– a hashed email bodyh=
– a list of headersb=
– a digital signature
To create the DKIM signature, you will have to specify only two tags of all the above: an authorized domain (d=
) and a selector (s=
).
Choose a domain
When validating DKIM signatures, the recipient’s mail server checks whether the domain included in the signature (d=
) matches the domain included in the ‘From:
‘ field of the email. You may use different domains for sending different types of emails, so make sure each is authorized.
NB: If you’re using different domains for sending emails, you’ll need to have separate DKIM signatures for each domain.
Pick a DKIM selector
A selector or a selector prefix is a name you need to specify to create the DKIM key. During the validation process, the server runs a DNS query according to the combination of the authorized domain (d=
) and the selector (s=
). This is required to fetch the public key.
Each selector is assigned to a separate private key. If you send different types of emails (marketing, transactional, etc.) from the same domain, it’s better to use separate keys for your convenience though you don’t have to. You’ll need to use different selectors to generate those. Pick any name for your selector.
Choose a public and private key generator
The domain and selector are the input data used to generate a key pair, which consists of the public and the private key. The public key is used in the DNS TXT record, whereas the private key is used for the sending MTA. Check our blog post, “What is an MTA?”, if you need to brush up on what that is.
The MTA uses the private key to hash headers (h=
) and the body (bh=
) of the outbound email. The private key is kept on the server and never leaves.
When an email with DKIM arrives, a receiving mail server makes a DNS query to get the public key. The server uses it to build its own hashes and then compares them with the ones received. If there’s a match, the email is let in.
You can generate these keys with one of the following tools:
- DKIM Core – the selector is assigned automatically.
- DKIM Generation Wizard by SocketLabs – allows you to assign a selector and generate 1024 and 2048 bit key pairs.
- DKIM Wizard by SparkPost – allows you to assign a selector and generate 1024 and 2048 bit key pairs. Previously known as Port25.
- DKIM Record Generator by Easy DMARC – allows you to assign a selector and lookup DKIM.
- DKIM Wizard by Unlock The Inbox – allows you to assign a selector and generate 512, 768 (keys smaller than 1024 bits are subject to off-line attacks), 1024, and 2048 bit key pairs.
- PuTTY – an installable tool for generating public-private key pairs on Windows and Linux.
- ssh-keygen – an installable tool for generating public-private key pairs on Linux.
With some tools, you can generate 2048-bit domain keys. They are more secure than 1024-bit ones. But you can use them only if your DNS system supports them.
How do I create a DKIM record for my domain?
Now, the meat! Let’s go through the steps required to create a DKIM record online. As an example, we’ll use the domain ‘example.com
’ and the selector ‘test-mail
’.
Generate public and private keys
Generate your public and private key pair using a dedicated tool. We’re using DKIM Wizard by SparkPost, as follows: