+3 votes
in Email security by (242k points)
DKIM: what is DomainKeys and how to configure it

1 Answer

+4 votes
by (1.6m points)
Best answer

How DKIM works
The technical components of DKIM
Create a DKIM record
Check the DKIM registry
Asymmetric coding
TXT entry on the name server


DKIM: what is DomainKeys and how to configure it

All email servers try to block emails with a fake sender. Scammers simulate addresses of trusted senders known to the recipient to sneak in, for example, a Trojan virus or to convince the recipient to provide sensitive information ( phishing )..

One of the methods to check the authenticity of the sender is DKIM, a concept with which emails with digital signature are verified. DKIM is the acronym for DomainKeys Identified Mail.

The DKIM that is used today was created in 2004 as a collaborative project of a consortium of companies. DKIM brings together the old concepts of Yahoo's DomainKeys and Cisco's Identified Internet Mail and the acronym DKIM was precisely taken from here: DK = DomainKeys, IM = Identified Internet Mail..

  1. How DKIM works
  2. The technical components of DKIM
    1. Hashing
    2. Asymmetric coding
    3. TXT entry on the name server
  3. Create a DKIM record
  4. Check the DKIM registry

How DKIM works

DKIM is based on communication between the receiving and sending servers of the email - the end user is not aware of anything.

In very general terms, the sending mail server adds a digital signature to the mail and the receiving server verifies it. To do this, check the public key assigned to the signature on the email server listed as the sender..

If the public key does not match the signature, it can be due to several causes:

  • The email was not sent by the mail server that appears in the header of the mail, but by another rogue server.
  • Email has been modified on its way from the? Authentic? Email server to the receiver. A hacker may have intercepted the email, modified it, and resent it.

The technical components of DKIM

To understand DKIM, it is worth taking a look at the different? Components? that form the concept.


An algorithm transforms the content of the mail into a sequence of characters called a hash value . This value is added to the email header.


The hashing follows the same principle that the number of verification of a payment voucher, in which a value is calculated from the reference number and is added to this as last figure.

If the receiver solves the hash value of the received mail with the same algorithm, it would have to obtain the same sequence of characters as the one that appears in the header of the email. If the hash value does not match, the recipient knows that the email has been modified.

Asymmetric coding

In order for the receiver to be sure that the hash value really comes from the original sender, another measure is required: the digital signature.

The signature method used to verify the sender is asymmetric encryption. This is based on a pair of keys: what is encoded with key A can only be decoded with key B. One of the keys is kept secret (? Private key?) And the other is published (? Public key? ).


You can find detailed information in this general article on encoding procedures.

The sequence would be the following:

  1. The sender encrypts the calculated hash value with the private key.
  2. Then add the encoded hash value to the email header (? Signature?).
  3. The receiver consults the public key of the sending server at the domain name server and uses it to decode the signature.
  4. Now it recalculates the hash value you have decoded: if the resulting value matches the decryption, then everything is in order.

TXT entry on the name server

In order for the receiving mail servers to consult the sender's public key, this key must be published as a TXT Resource Record in the domain's DNS zone.

The DKIM entry contains the following elements:

  • The version, often encoded with v = DKM1 .
  • The encoding algorithm; is always RSA (k = rsa) .
  • The public key ( p = ); it is a long sequence of characters.
  • The selector; this item varies by provider. Example: default._domainkey or k1._domainkey
The DKIM record is a TXT Resource Record.

As a general rule, the DKIM record can only be consulted from the email header, since, to do so, not only the domain name is required, but also the selector , and this is usually not known or takes a long time to find out .

Create a DKIM record

To create a DKIM record, you must generate an RSA key pair and store it in the correct place on the server. Most email service providers take care of this for you.


In our Help Center we explain how to set up a DKIM registration for your IONOS email account.

You can generate a log by hand to better understand how DKIM works. There are different free tools on the internet, p. For example, EasyDMARC's DKIM Record Generator. Enter any selector at the top (example: k1 ) and any domain on the right side. The generator issues a private key and a public key. The private key ( private key ) must be stored on the email server (this task can only be done by your email service provider), the public key is stored in the DKIM registry.

EasyDMARC DKIM Record Generator: at the top you must enter the domain and any prefix. The DKIM record appears in green below.

Check the DKIM registry

You can check if the DKIM record is actually publicly accessible using a DKIM checker, e.g. eg with EasyDMARC's DKIM Record Lookup.

The simplest thing is that you send an email to your own address and check the header. There the entry? DKIM Signature? Will appear:

In the email header you can see the DKIM signature.

By copying the header into a header analysis tool, you can view detailed information about it.