DKIM Validator
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by adding a digital signature linked to a domain name to each outgoing email message. DKIM allows the receiver to verify that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
DKIM Validator Tool
Our DKIM Validator tool helps you check if your DKIM record is correctly configured and valid.
Use DKIM ValidatorWhat is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication protocol that adds a digital signature to outgoing email messages. This signature allows receiving mail servers to verify that the message was sent by an authorized sender and that the message hasn't been altered during transit.
DKIM works by adding a digital signature to the email header, which is generated using a private key. The receiving mail server can then verify this signature using the public key published in the sender's DNS records.
How DKIM Works
- Key Generation: The domain owner generates a pair of cryptographic keys: a private key (kept secure on the mail server) and a public key (published in the domain's DNS).
- Signing: When an email is sent, the mail server uses the private key to generate a digital signature based on selected parts of the email. This signature is added to the email header as a "DKIM-Signature" field.
- Sending: The email, now containing the DKIM signature, is sent to the recipient's mail server.
- Verification: The receiving mail server extracts the DKIM signature and the domain name from the email header.
- DNS Lookup: The receiving server looks up the public key in the sender's DNS records.
- Validation: The receiving server uses the public key to verify the signature. If the signature is valid, it confirms that the email was sent by an authorized sender and hasn't been altered.
- Delivery: Based on the validation result, the receiving server decides how to handle the email (deliver, mark as suspicious, or reject).
DKIM Record Format
A DKIM record is a TXT record in your domain's DNS. The record is published at a specific location determined by the selector:
[selector]._domainkey.[domain]For example, if your selector is "mail" and your domain is "example.com", the DKIM record would be published at:
mail._domainkey.example.comThe content of the DKIM record typically looks like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...Where:
v=DKIM1- Version of DKIM being usedk=rsa- Key type (RSA is the most common)p=...- The public key in base64 encoding
Additional optional tags include:
t=y- Testing mode (receivers should not reject emails if signature validation fails)s=email- Service type (defaults to "*" for all services)n=...- Notes (human-readable information)
DKIM Signature Header
When an email is signed with DKIM, a "DKIM-Signature" header is added to the email. This header contains several fields that are used for verification:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail; c=relaxed/relaxed; q=dns/txt; t=1623456789; h=from:to:subject:date; bh=...base64...; b=...base64...Key fields in the DKIM signature:
| Field | Description | Example |
|---|---|---|
v | Version | v=1 |
a | Algorithm used for the signature | a=rsa-sha256 |
d | Domain that signed the email | d=example.com |
s | Selector used to find the public key | s=mail |
c | Canonicalization algorithm for header/body | c=relaxed/relaxed |
h | Headers included in the signature | h=from:to:subject:date |
bh | Body hash (hash of the email body) | bh=...base64... |
b | The actual signature | b=...base64... |
Implementing DKIM
Implementing DKIM involves several steps:
- Generate a key pair: Create a public/private key pair for signing emails.
- Configure your mail server: Set up your mail server to sign outgoing emails using the private key.
- Publish the public key: Add a TXT record to your domain's DNS that contains the public key.
- Test the configuration: Send test emails and verify that they are properly signed and can be validated.
The exact steps vary depending on your mail server software and DNS provider. Here are general instructions for some common setups:
Postfix with OpenDKIM
- Install OpenDKIM:
apt-get install opendkim opendkim-tools - Generate keys:
opendkim-genkey -s mail -d example.com - Configure OpenDKIM in
/etc/opendkim.conf - Add the domain and selector to
/etc/opendkim/KeyTableand/etc/opendkim/SigningTable - Configure Postfix to use OpenDKIM
- Add the public key to your DNS as a TXT record at
mail._domainkey.example.com
Google Workspace
- Sign in to the Google Admin console
- Go to Apps > Google Workspace > Gmail > Authenticate email
- Click "Generate new record" in the DKIM section
- Select your domain and key length (2048-bit recommended)
- Click "Generate"
- Copy the TXT record information provided by Google
- Add the TXT record to your DNS at the specified location
- Return to the Google Admin console and click "Start authentication"
Microsoft 365
- Sign in to the Microsoft 365 admin center
- Go to Settings > Domains
- Select your domain
- Click "DNS records"
- Click "Add custom record"
- Select "TXT" as the record type
- Enter the selector (usually "selector1" or "selector2") followed by "._domainkey" in the Host field
- Enter the DKIM value provided by Microsoft in the TXT Value field
- Save the record
- Return to the Microsoft 365 admin center and enable DKIM signing
DKIM Best Practices
Use strong keys
Use RSA keys with at least 2048 bits. Shorter keys (1024 bits) are becoming increasingly vulnerable to attacks.
Sign all outgoing emails
Configure your mail server to sign all outgoing emails, not just some of them. This helps build a consistent reputation.
Include important headers in the signature
At a minimum, include the From, To, Subject, and Date headers in your DKIM signature. This helps prevent header manipulation.
Rotate keys regularly
Rotate your DKIM keys periodically (e.g., every 6-12 months) to maintain security. Use different selectors for each key to allow for smooth transitions.
Use multiple selectors
If you send email from multiple sources (e.g., marketing platform, transactional emails, etc.), use different selectors for each source. This makes it easier to manage and troubleshoot.
Implement DKIM alongside SPF and DMARC
For the most comprehensive email authentication, implement DKIM alongside SPF and DMARC. These three protocols work together to provide the best protection against email spoofing.
Common DKIM Issues
Incorrect DNS record format
DKIM records must follow a specific format. Common errors include missing quotes, incorrect tags, and malformed public keys. Use our DKIM Validator tool to check your record format.
DNS record size limitations
Some DNS providers have limitations on the size of TXT records. If your DKIM record is too large (especially with 2048-bit keys), you may need to split it into multiple TXT records or use a DNS provider that supports larger records.
Mail server not signing emails
If your mail server is not properly configured to sign emails, they will be sent without DKIM signatures. Check your mail server configuration and logs to ensure signing is enabled and working.
Key mismatch
If the private key used for signing doesn't match the public key in your DNS, signature validation will fail. Ensure that you're using the correct key pair.
Email modification in transit
If an email is modified in transit (e.g., by a mailing list or a forwarding service), the DKIM signature may become invalid. Use the "relaxed" canonicalization algorithm to allow for minor modifications.
DKIM Validation Tool
Our DKIM Validator tool helps you check if your DKIM record is correctly configured and valid. It checks for:
- Correct record format
- Valid public key
- Appropriate key length
- Proper selector configuration
- Other common DKIM issues
Next Steps
To learn more about email authentication, explore:
- SPF Validator - Learn how to create and validate SPF records
- DMARC Analyzer - Explore DMARC policies and reporting
- Email Authentication Best Practices - Comprehensive guide to email security