Originally, we intended to name this blog post “DKIM Record Check: Why It Is Important and Why You Should Do It Right Now if You Haven’t Done It Yet”, but that would be an obnoxiously long headline.
Our previous blog post outlined the concept of DKIM and explained why it is a vital component of your domain reputation (if you haven’t read it, don’t run off to catch up, we’ll fill you in right in this blog post). But we still have a lot of information to add to that subject. Take the DKIM record check, for example. What is it? How does it work? How would your email marketing benefit from it? The number of questions is overwhelming, so we don’t recommend dealing with it on your own. Let us guide you through the intricacies behind the DKIM signature and let you explore them at your pace.
Why do you need a DKIM signature?
DKIM signature is designed not for your recipients’ eyes, but for your recipient servers. This email authentication protocol “seals” your emails with an encrypted signature visible in the email header field. This signature is detected by the receiving server and it proves that no third party tampered with the content of the message.
A DKIM record consists of a key pair.
- Public key. A public key is a TXT record published on your domain. Recipient servers can access it and confirm that the sender’s address is valid and connected to the signature.
- Private key. This is a unique key that can’t be accessed by other users. Your private key generates a DKIM signature for every email you send, ensuring that it won’t be copied or re-created by spoofers.
Together with an SPF record, the DKIM signature is pretty much a must for healthy and steady email outreach and solid sender reputation.
What is the DKIM check?
When the recipient server uses a DKIM signature to verify an incoming email and establishes if it was actually sent from the domain indicated in the email address, this process is called the DKIM check.
DKIM check steps
The process of DKIM check usually goes as following:
- The domain administrator generates the key pair, adds the public key TXT record to the rest of DNS records, and places the private key on the sender’s MTA (mail transfer agent).
- The sender’s domain sends an email and the MTA uses the private key for encrypting the content of the message via Hash Value and attaches the encrypted string to the header’s field.
- The receiving server’s MTA scans the sender’s DNS records and the public TXT record to decipher the encrypted signature.
- The receiving server’s MTA recomputes the Hash Value of the incoming email and compares the recomputed hash to the deciphered one. If there is a match, the email passes the DKIM check.
This is why you should make sure that your DKIM pair is generated correctly and recipient servers have no issues with checking it. You can do it by carefully following the DKIM signature generation guidelines and running DKIM validation on your own.
How to do DKIM testing?
You don’t need a complex DKIM validator to test your DKIM signature. You can do everything right in your Gmail web app.
First, send a message to your Gmail account. Then, go to the “More” icon and choose “Show original”
This is how your email will look after choosing this option. You should look at the DKIM field.
As you can see in this example, the DKIM is marked as “PASS” and features a domain name. It means that the email passed the DKIM check and the sender’s domain name was verified via public DKIM record.
If you see this, it means that your DKIM is well-generated and you have nothing to worry about.
Another way to validate your DKIM is to use a DKIM validator. A plenty of those are available online and they are quite simple in use.
For example, to use the DKIM Validator Tool by Dmarcian, you only need to enter your public DKIM key to validate it and see that it’s composed properly.
What is a DKIM record made of?
Now, let’s see what your recipients' servers see whenever they get a message from you and need to run a DKIM check.
Here’s how you can translate this string of characters:
Looks complicated, doesn’t it? Not going to lie, this is complicated, which is why DKIM validation failures are such a pain to troubleshoot.
Sometimes, the cause for failure is obvious and solvable (your public TXT key is missing, the syntax is wrong, the changes to the DKIM signature were applied while your message was already on its way to the recipient, etc.), sometimes it's a complete mystery and it frustrates you to no end. You run your public TXT record through a DKIM checker and it reports failure. You check the syntax and placement, try to validate your TXT record again - and the failure notification pops up once more. Not all conditions that were present in signing and validation of the message can be recreated by a DKIM validator in its attempt to compare hashes. Therefore, it reports a DKIM check failure - and you have to use manual validation and open rate monitoring in order to see whether there is an issue with your DKIM signature or not.
Why should you use a DKIM check?
To sum it up, a DKIM validation lets you put yourself in your recipient servers’ shoes and make sure that nothing prevents them from quickly verifying your DKIM signature and authenticating your domain. An easy DKIM check means:
- Good reputation. You show that you’re a credible and legitimate sender who takes their reputation seriously and values their communication with potential buyers and business partners. It demonstrates that you respect transparency and that you walked the extra mile to make your communication safe and secure.
- Anti-phishing measures. Checking and verifying DKIM signatures for all domains used in your company makes it harder for phishers and spoofers to slither their way past your defenses and destroy the reputation you’ve been working on. Serves them right! The more attention you pay to your DNS records whenever you run an audit for your campaigns or test your deliverability, the more you contribute to making email marketing a safer place for both you and your potential target audience.
- Spam filter dodging. When you regularly check and verify your DKIM records (and other DNS records as well), you don’t give spam filters an opportunity to give you a figurative “stink eye” because you can instantly notice all budding issues and react upon them. A well-generated DKIM signature together with a proper SPF record will be the documents proving your sincerity and competence to email service providers.
In general, you should run a performance audit at least every two weeks to evaluate your domain’s health and take note of the slightest changes, if they persist. It can become a monotonous task, but it’s better than the chaos and panic that reign after your DNS records fail to protect you. With
Folderly, you can get a good look at your domain’s performance and be alerted whenever there is an issue that needs to be fixed or an outreach component that could be improved.