DomainKeys Identified Mail (DKIM)

**DKIM** is one of the trio of Authentication methods ([[SPF]], DKIM and [[DMARC]]) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. In basic, a [[private key]] encrypts the header in a domain's outgoing email. The [[public key]] is published in the domain's [[HPS - DNS]] records, and receiving servers can use that key to decode the signature. # How DKIM works better than [[SPF]] alone to prevent malicious spoofing [[SPF]] adds information to a message envelope but DKIM _encrypts_ a signature within the message header. ![microsoft-365 image](https://learn.microsoft.com/en-us/microsoft-365/media/28f93b4c-97e7-4309-acc4-fd0d2e0e3377.jpg?view=o365-worldwide) In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. **The addition of DKIM in this scenario reduces _false positive_ spam reporting.** Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than [[Sender Policy Framework (SPF)|SPF]]. # DNS DKIM Record [What is a DNS DKIM record?](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/) ## What is a DKIM record? A DKIM record stores the DKIM public key — a randomized string of characters that is used to verify anything signed with the private key. Email servers query the domain's DNS records to see the DKIM record and view the public key. A DKIM record is really a [DNS TXT ("text") record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/). TXT records can be used to store any text that a domain administrator wants to associate with their domain. DKIM is one of many uses for this type of DNS record. (In some cases, domains have stored their DKIM records as [CNAME](https://www.cloudflare.com/learning/dns/dns-records/dns-cname-record/) records that point to the key instead; however, the [official RFC](https://datatracker.ietf.org/doc/html/rfc6376/) requires these records to be TXT.) Here is an example of a DKIM DNS TXT record: Name Type Content TTL `big-email._domainkey.example.com` `TXT` `v=DKIM1; p=76E629F05F70 9EF665853333 EEC3F5ADE69A 2362BECE4065 8267AB2FC3CB 6CBE` `6000` #### Name Unlike most DNS TXT records, DKIM records are stored under a specialized name, not just the name of the domain. DKIM record names follow this format: ``` `[selector]._domainkey.[domain]` ``` The `selector` is a specialized value issued by the email service provider used by the domain. It is included in the DKIM header to enable an email server to perform the required DKIM lookup in the DNS. The `domain` is the email domain name. `._domainkey.` is included in all DKIM record names. To look up the DKIM record, email servers use the DKIM selector provided by the email service provider, not just the domain name. Suppose example.com uses Big Email as their email service provider, and suppose Big Email uses the DKIM selector `big-email`. Most of example.com's DNS records would be named `example.com`, but their DKIM DNS record would be under the name `big-email._domainkey.example.com`, which is listed in the example above. #### Content This is the part of the DKIM DNS record that lists the public key. In the example above, `v=DKIM1` indicates that this TXT record should be interpreted as DKIM, and the public key is everything after `p=`. #### Record type and TTL These are standard fields in DNS records. `TXT` indicates that this is a DNS TXT record. "TTL" stands for time to live (measured in seconds), and it indicates how long this record should be considered valid before it needs to be refreshed. DKIM records generally have a TTL of several minutes.