DKIM Records: How To Create and Add Them To Your DNS

What is a DKIM record?

DKIM is an open standard for email authentication that helps protect email senders and recipients from spam, spoofing, and phishing. It allows an organization to claim the responsibility for the message in a way that is validated by the receiver. It is an email security standard designed that makes sure the messages aren’t altered in transit between the sending and receiving servers.

It gives the emails the signature header that is added to the email and secured with a public/private key pair and a certificate. It can act as a watermark for email so that email receivers can verify that the email came from the domain it says it does and hasn’t been tampered with.

Every DKIM signature consists of all the information that is required for an email server to verify whether the signature is real and is encrypted with a pair of DKIM keys. The originating server contains the private key that can be verified by receiving mail or ISP with the other half of the key pair called the public key. The public key exists in the DKIM record in your domain’s DNS as a text file.  

 A DKIM selector is used to connect and decipher these encrypted signatures. The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How do I create a DKIM record for a domain?

  1. Create a list of all sending devices and domains

Firstly, you need to create a list of all the sending devices and domains (like marketing campaign platforms or invoice generators also referred to as ESPs) that are authorized to send emails on your behalf. 

  1. Generate public and private keys

You have to generate private and public key pairs using a dedicated tool. The private key stays at the server or service that sends the email and the public key is published by using a DNS text record.

  1. Configure the DNS server with the public key

Now you can create a DKIM TXT record by using the domain, selector, and public key. The record will have the name of the authorized domain attached with the selector prefix.

How to add the DKIM record to your DNS?

DKIM record DNS settings

You can add the DKIM record by publishing your public key to your DNS record as a text (TXT) record. You need to check with your DNS provider to see if they allow more than 255 characters in the input field or not. If they don’t allow you, you may have to increase the size or create the TXT record itself. After that, you have to save the private key to your SMTP server or MTA (mail transfer agent).

How can I test if I set up DKIM correctly?

Once you’ve set up DKIM for an email service, you can send a message to an email address you manage and check the DKIM-Signature and Authentication-Results headers to make sure DKIM passed successfully. You can also use DMARC reports to check that the messages sent using your domain are correctly authenticated with DKIM and SPF. 

Relation between DKIM and DMARC

What is DMARC?

DMARC stands for “Domain based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

You might be wondering why DMARC is necessary, when both DKIM and SPF are already being used. It ensures that when an email is received, the information received in both records matches the “friendly ” domain that the user sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies. You can conduct a DMARC test to verify whether the record is published correctly or not and check where your DMARC reports are being sent to.


We hope you find this article insightful. You can also hire a DKIM service provider who can make this process easy for you. Since it is a technical process so hiring a service provider will be a better option.ProDMARC assists you in ensuring DMARC implementation with both the company and third-party vendors. ProDMARC, as a product built on a mission to achieve safe and spoofing-free email networks across the entire internet room, allows DMARC reporting, providing volumes and patterns of outbound mails, including phishing campaigns, and yields proof for outbound mails’ reliability in terms of SPF, DKIM, and DMARC compliance. Get Started with top-class cybersecurity solutions for your business at ProgIST. Get in touch with us for the best cybersecurity solutions.


Leave a Reply

Your email address will not be published.