A DKIM (Domain Keys Identified Mail) record is a DNS TXT record used to verify that the "from" domain listed in the record matches that of the DKIM-signed message. By itself, this is not foolproof. For additional security, see DMARC.
What does the DKIM record look like?
A DKIM record has several parts, shown below:
|Destination Selector||DKIM Prefix||Your Domain||IN TXT||Record Parameters|
|scph0850a||_domainkey||subdomain.yourdomain.com||IN TXT||"v=DKIM1\; k=rsa\; p=MFwwDQY. . . .cNs/31AwEAAQ=="|
The full record would be:
scph0850a._domainkey.subdomain.yourdomain.com IN TXT "v=DKIM1\; k=rsa\; p=MFwwDQY. . . .cNs/31AwEAAQ=="
What do the parts of the DKIM record mean?
The destination selector allows a domain owner to maintain multiple DKIM entries. The DKIM prefix
_domainkey is a standardized prefix informing the mail server to check for the DKIM policy associated with the listed domain. IN TXT is the separator between the destination domain and the record tags. Record tags and their meanings are summarized in the following table.
|v||This identifies the TXT record as a DKIM record.||Required; must be set to
|h||This determines which hash functions are allowable.||Required; must be set to
|p||This is used to decrypt the signature made at send time, allowing the receiving server to verify the sender's identity.||Required; must be the sender's public key encrypted using the algorithm specified in the k tag, below.|
|k||This tells the receiving server which algorithm was used to encrypt the public key.||Optional; defaults to
How does DKIM work?
A DKIM-signed message functions via asymmetric key cryptography. The message is signed using the private key at send time. Upon receipt of the message by the destination mail server, the signature is verified using the public key stored in the DKIM record belonging to the "from" domain of the message.
Why should I implement DKIM?
Properly-implemented DKIM means that if a bad actor sends a message with a falsified "from" domain in an attempt to impersonate your brand, the message's signature won't be verifiable, and the mail will be treated as "unverified" by the receiving server. What this means will depend on the server itself; however, DMARC can be used to provide more strict instructions, such as deleting the offending message.
Verifying messages increases the likelihood that they will be delivered to the inbox. Conversely, unverified messages are more likely to end up in the spam folder and may even get bounced.
Is this a record that needs frequent updating?
If you change your "from" domain or your private key, you will need to update your DKIM to match. Otherwise, no, the DKIM record will not need to be changed.
- RFC 6376 (Link retrieved May 11th, 2022): Current official specifications for DKIM. (RFCs are official specifications, so they're generally written in very dense technical language.)