Spam lurks around every corner of cyberspace, and a staggering 91% of all cyberattacks begin with a phishing email to an unexpected victim. This research by Deloitte perfectly shows why it’s crucial to apply all possible safety measures to protect your domain from unwanted phishing attacks. And a DKIM record (DomainKeys Identified Mail) is among the most critical actions.
The number of DKIM keys tripled from 2020 to 2021. And with cyber threats evolving at an alarming pace, it's no wonder that the adoption of DKIM records has skyrocketed.
So, in this article, we gathered everything about DKIM, along with expert advice from email deliverability experts on setting up this record. Read on and empower yourself with the knowledge that will keep your digital doors bolted shut.
The Article Walkthrough:
What Is a DKIM Record?
Take a DKIM record like your passport: it helps you go through a face control and get into the recipient’s inbox. In simple words, it is a text record with your email signature used for the authentication of an email that’s being sent. It is essential to create both SPF records and DKIM as standards for email authentication that are used for DMARC alignment.
A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage over SPF is that it can survive forwarding, which makes it superior to SPF and a foundation to save your email sender reputation.
❗ Folderly consulting experts recommend using both SPF and DKIM (and DMARC) to achieve 100% email deliverability and keep your domain safe. It’s not a choice between the two.
A DKIM record consists of a key pair.
- Public key. A public key is a TXT record added to your DNS record. Recipient servers can access it once you send a message and confirm that the sender’s address is valid and connected to the signature.
- Private key. This is a unique key. It’s added to your email signature. Your private key generates a DKIM signature for every email you send, ensuring that it won’t be copied or re-created by spoofers.
NB ❗ Although a receiving email server extracts your DKIM signature with a private key, nobody can see your unique private code.
Why Is DKIM Check Crucial for Email Deliverability
When the recipient server uses a DKIM signature to verify an incoming email and establish if it was actually sent from the domain indicated in the email address, this process is called the DKIM check.
- Helps to detect fake emails. By affirming the sender’s key, DKIM record helps to detect fake email addresses and fight against spam.
- Helps to establish solid email reputation. Since DKIM ensure spammers don’t use your personal domain name to send emails, it’s a must-to-implement step for a solid domain reputation. As a result—more chances to get into inbox.
- Gives access to Postmasters. Postmaster Tools are Google Account services for analytics. They help to track data on large volumes of emails sent and find data about your sending domain. To set up postmaster statistics, you need to have the correct email authentication such as DKIM and SPF.
How DKIM Works in Practice
STEP 1: If DKIM record is set up property, sender’s domain adds e-signature to the email using private key + publishes txt DNS record containing public key.
STEP 2: The receiving mail server extracts DKIM signature with private key from email header.
STEP 3: The receiving mail validates a sender using a public key from a DKIM DNS entry.
STEP 4: If public and private keys match, the message goes to the user's inbox. If they don’t match, an email goes to a spam folder.
How To Check Your DKIM Record
If you are a Microsoft 365 client, you can choose to do nothing about DKIM for your custom domain. Microsoft 365 automativally creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.
❗However, if you answer “YES” to one of the following statements, it is important to manually configure your custom domain:
- You use more than one custom domain in Microsoft 365
- You're going to set up DMARC as well (you can do it with free DMARC Record Generator)
- You want have a 100% control over your private key
- You want to have customized CNAME records
- You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.
So, here’s a quick guide to check your DKIM setup:
- Send a message from your Microsoft 365 account with DKIM-enabled domain to another email account such as Outlook.com.
- Open the email and look at the header. The correctly DKIM-signed message will show the hostname and domain. The message will look like this:
❓ FAQ: Can a domain have multiple DKIM Records?
Yes, it can! A domain can have as many DKIM records for public keys as servers that send mail. Just make sure that they use different selector names.
How to generate DKIM in G-suite
If you DKIM test has failed or/and you want to create a customized DKIM record, follow the next steps in your G-Suite account.
Note! You can’t generate DKIM Record if you are just an end-user. You must be signed in as a super administrator (the one who has access to all features in the Admin console) to get the right to generate it.
1. Open your Google Admin console (at admin.google.com).
2. Go to Apps > G Suite > Gmail or follow the search request below.
a) Type DKIM and go to DKIM authentication.
b) On the Authenticate email page in the drop-down list, select a domain for DKIM authentication.
If you have multiple domains, make sure you select a domain you want to enable DKIM authentication. Otherwise, DKIM authentication may fail for your domain.
3. Click Generate New Record to generate DKIM record.
If you have just created your G Suite account and turned on Gmail, you have to wait 24–72 hours before you can generate a DKIM key.
4. Select DKIM 2048-bit key (The “2048-bit” is the length of the key, which determines its strength. The longer key means enhanced security) and click Generate.
5. After the generation is complete, go to the domain registrar (where you manage DNS records) and add the TXT type record with the following Host name and record value:
When the record in the domain registrar is saved go back to the Google Admin and click the Start Authentication button.
Important! In most cases, the email authentication process takes up to 48 hours to verify. If you encounter a message like this, make sure you entered the correct DKIM TXT record into the domain provider's settings and come back later. Then, you can again click the Start Authentication button to enable DKIM.
Conclusion: Navigating the Intricacies of DKIM
Implementing DKIM not only safeguards your brand's reputation but also enhances email deliverability. It’s a vital layer of protection against phishing attempts, email spoofing, and other fraudulent activities, bolstering your overall email security.
However, it's crucial to remember that DKIM implementation is not a one-size-fits-all approach. Each organization may have specific requirements and nuances that require expert guidance.
If you need assistance or further insight into email deliverability best practices, fear not. Our team of email deliverability experts at Folderly is here to provide you with comprehensive consulting services tailored to your unique needs. We have the knowledge and expertise to help you navigate the intricacies of DKIM and other email authentication methods, ensuring your emails reach their intended destinations.
Also, should you have any questions or concerns regarding DKIM or any other email-related matters, please don't hesitate to contact us at support@folderly.com. We are dedicated to assisting you in your journey towards optimized email deliverability and unrivaled sender reputation.
'%3e%3cpath%20d='M7.1514%208.23808L7.14213%208.24436L10.3723%204.84628L10.4274%206.93218C10.43%207.03418%2010.4735%207.13018%2010.5478%207.20082C10.6221%207.27146%2010.7197%207.3096%2010.8218%207.30709L11.1461%207.29896C11.2481%207.29637%2011.3432%207.2542%2011.4138%207.17992C11.4844%207.10561%2011.522%207.00864%2011.5194%206.90669L11.4291%203.33504C11.4265%203.23269%2011.3838%203.13755%2011.3093%203.06708C11.2347%202.9958%2011.1375%202.95801%2011.0352%202.96068L7.46342%203.05118C7.36151%203.05381%207.26657%203.09614%207.19589%203.1705C7.12529%203.24477%207.08786%203.34177%207.09036%203.44365L7.09865%203.76794C7.10112%203.86986%207.14353%203.9648%207.21785%204.03544C7.29212%204.10604%207.38541%204.1401%207.48736%204.13744L9.59083%204.08052L6.35316%207.48652C6.20768%207.63957%206.21734%207.89356%206.3703%208.03897L6.60551%208.26255C6.75847%208.40795%207.00592%208.39113%207.1514%208.23808Z'%20fill='%23383838'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1030_2207'%3e%3crect%20width='7.00639'%20height='7.00639'%20fill='white'%20transform='translate(13.8477%205.48047)%20rotate(133.549)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}