Skip to main content
0
  1. Wiki/

Email Encyclopedia: What is DKIM Record

Table of Contents

Alibaba Mail More Products and Services

As one of the most important communication methods in modern society, electronic mail is widely used in various fields including personal communication, business collaboration, and marketing. However, with the popularization of email, problems such as spam, phishing emails, and forged emails have become increasingly serious, threatening users’ privacy security and information authenticity. To address these challenges, internet technology experts have developed various email authentication mechanisms, among which DKIM (DomainKeys Identified Mail) is an important standard that verifies the sender’s identity by adding digital signatures to emails, thereby increasing email credibility.

The core concept of DKIM is the “DKIM Record,” which is a TXT-type record configured in the domain’s DNS when deploying DKIM functionality. This article will explain in detail what a DKIM Record is, how it works, how to configure it, and its importance for enterprise email systems, helping users fully understand this key technology.

I. Introduction to DKIM #

DKIM (DomainKeys Identified Mail) is an email authentication protocol designed to prevent email address forgery and spam propagation. The protocol uses public key encryption technology to digitally sign email content during the sending process and verify the authenticity of the signature at the receiving end. If verification is successful, it confirms that the email truly comes from the claimed sender domain and has not been tampered with; if verification fails, it may indicate that the email poses a risk of fraud or modification.

The DKIM protocol was jointly developed by several major internet companies and became an IETF (Internet Engineering Task Force) standard document (RFC 4870 and RFC 6376) in 2007. Currently, DKIM is widely supported by mainstream email service providers, including Gmail, Outlook, Yahoo, and others.

II. What is a DKIM Record? #

A DKIM Record is a key component of the DKIM verification mechanism. It is a TXT record stored in the domain’s DNS that contains public key information used to verify email signatures. When an email with a DKIM signature is sent to a receiving server, the recipient queries the DKIM Record under the sender’s domain, obtains the corresponding public key, and then uses that key to decrypt the signature information in the email header, thereby determining whether the email is genuine and reliable.

The format of a DKIM Record is typically as follows:

selector._domainkey.example.com. IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+…”

Where:

  • selector: A custom string used to identify a specific DKIM key pair.
  • _domainkey: Fixed format, indicating this is a DKIM-related subdomain.
  • example.com: The domain used by the sender.
  • v=DKIM1: Indicates the DKIM version.
  • k=rsa: Indicates that the encryption algorithm used is RSA.
  • p=…: Indicates the specific content of the public key.

III. How DKIM Records Work #

The DKIM operation process can be divided into the following steps:

  1. Generate Key Pair: First, the email server administrator needs to use tools to generate a pair of DKIM keys, including a private key and a public key. The private key is used to sign outgoing emails and must be kept strictly confidential; the public key is published in the domain’s DNS for verification by recipients.

  2. Configure DKIM Record: Add the generated public key to the domain’s DNS settings as a TXT record. The name of this record is typically selector._domainkey.domain.com, where selector is a user-specified selector name, and domain.com is the domain used by the sender.

  3. Email Signing: Whenever the email server sends a new email, it uses the previously generated private key to hash and encrypt certain header fields of the email (such as From, Subject, Date, etc.), generating a digital signature. This signature is then added to the email header with the field name DKIM-Signature.

  4. Email Transmission: The email is transmitted over the network to the recipient’s server. The receiving server parses the email header, discovers the DKIM-Signature field, extracts the domain name and selector information from it, and constructs a corresponding DNS query request.

  5. Signature Verification: The receiving server obtains the DKIM Record under the sender’s domain through DNS query and extracts the public key. It then uses this public key to decrypt the signature in the email header and recalculates the hash value of the email header fields. If they match, the verification passes, proving that the email source is trustworthy and the content has not been tampered with; otherwise, there may be a risk of forgery or tampering.

IV. The Importance of DKIM Records #

DKIM Records play a crucial role in the modern email ecosystem. The following are its main advantages:

  1. Enhanced Email Credibility: Emails verified through DKIM are more likely to be trusted by receiving servers, reducing the possibility of being marked as spam, thereby improving email deliverability.

  2. Prevention of Email Forgery: DKIM effectively prevents attackers from impersonating legitimate domain names to send forged emails, protecting brand reputation and user information security.

  3. Working in Conjunction with Other Authentication Mechanisms: DKIM is often deployed together with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) to form a complete email authentication system, further enhancing the security of email systems.

  4. Meeting Compliance Requirements: Many industry standards (such as finance, healthcare, etc.) have strict requirements for email security, and deploying DKIM is one of the necessary measures to meet these compliance requirements.

V. How to Configure a DKIM Record? #

The process of configuring a DKIM Record typically includes the following steps:

  1. Log in to the Email Management Platform: Most enterprise email service providers (such as Tencent Enterprise Email, Alibaba Cloud Mail, Google Workspace, etc.) provide DKIM configuration wizards. Administrators can access the “Domain Settings” or “Security Settings” section through the backend interface to find the DKIM configuration options.

  2. Generate DKIM Key Pair: After clicking the “Enable DKIM” button, the system will automatically generate a key pair and display the selector name and public key content.

  3. Copy DKIM Record Information: The system will prompt the administrator to add a TXT record to the domain’s DNS settings. The record name is typically selector._domainkey.yourdomain.com, and the value is the DKIM public key data.

  4. Update DNS Settings: Log in to the domain service provider’s (such as Wanwang, DNSPod, Cloudflare, etc.) control panel, find the DNS management page, and add a new TXT record. Make sure the record name and content match exactly what the email platform provided.

  5. Verify if DKIM is Working: After waiting a few minutes to several hours for the DNS changes to take effect globally, you can use online DKIM checking tools (such as DKIM Validator or MXToolbox) to input your domain name and selector to verify whether the DKIM Record is correctly configured.

VI. Common Issues and Considerations #

Although DKIM is a mature technology, some issues may still arise during the actual deployment process. Below are some common problems and suggestions:

  1. DKIM Record Format Errors: Ensure that the content of the TXT record has no extra spaces or line breaks, that quotation marks are properly closed, and that parameter order is correct.

  2. Selector Conflicts: If multiple email services simultaneously use the same domain name to send emails, different selectors should be assigned to each service to avoid key conflicts.

  3. Regular Key Rotation: For security reasons, it is recommended to change the DKIM keys periodically and update the records in DNS.

  4. Pay Attention to DNS Cache Time: After changing the DKIM Record, you need to wait for the TTL (Time to Live) to expire before it takes effect globally, so it is recommended to operate during off-peak hours.

VII. Conclusion #

DKIM Record is one of the cornerstones of the email security system. It ensures the authenticity and integrity of emails through digital signatures, preventing email forgery and tampering. For enterprises, correctly configuring DKIM Records not only improves email deliverability but also effectively maintains brand image and customer trust. Combined with other authentication mechanisms such as SPF and DMARC, DKIM forms a complete anti-fraud solution for electronic mail, which is an indispensable technical measure for modern enterprises.

As network security situations become increasingly severe, email authentication has become a mandatory course for all email senders. Mastering the basic principles and configuration methods of DKIM Records not only helps IT administrators optimize email systems but also provides ordinary users with the ability to identify malicious emails. In the future, as technology develops, DKIM is expected to continue to evolve, contributing to the construction of a more secure and reliable email environment.