Deliverability

Understanding DKIM: How it works and why it’s necessary

You may know DKIM as an added layer of authentication for email. It proves you are who you claim to be through records and a secure signature. Did you also know that DKIM can help with deliverability?

Are you who you say you are, or are you a spoofer in disguise? Answering this question is what DKIM is all about.

As email usage and capabilities continue to grow, it’s important to make sure that your sender reputation is staying positive and secure. One of the best ways to do this is to use DKIM (DomainKeys Identified Mail). If the idea of yet another email acronym is throwing you off, don’t be alarmed.

Below, we’ll walk through the basics and benefits of DKIM to illuminate its purpose and value to sender reputation.

What is DKIM?

DKIM is an email authentication protocol that your email recipients can use to verify you are the true sender of a message. It ensures that nobody has used your domain or other identifiers to impersonate you or your company. DKIM has become an authentication standard in the email world necessary for both bulk marketing and transactional campaigns. A message sent without DKIM and/or SPF can be considered suspicious by different email analysis tools.

How does DKIM work?

DKIM is a tale of two keys. One key is private and stored on your SMTP server or in your listed domain, and the other is a public key registered in the DNS that others can use to verify your sender identity. The receiving mail server validates these two keys against one another. Matching keys open the door to deliverability. Mismatched keys trigger alarms and land you in spam.

Image shows DKIM signature sent to the receiving mail server which validates it against the public DKIM key and sends it to the inbox or to spam if the keys do not match.

There are a few important elements in DKIM authentication, including DKIM signatures and DKIM records. Let’s see what they are and what role they play in this process.

What is a DKIM signature?

The main component of DKIM is the DKIM signature, a header that is attached to your email messages which your recipient can use for verification. How you generate DKIM keys varies depending on your provider but some basic recurring variables of the signature are:

  • “d=” refers to the signing domain associated with a selector record to locate a public key. Messages from Mailgun are identified as “d=mailgun.com”.

  • “b=” refers to the message’s unique DKIM signature of headers and body, encoded with Base64.

  • “bh” refers to a digital hash value that contains your encrypted private key (canonicalized by Base64) so it can be verified by the recipient.

Image shows a cURL example of a DKIM signature with examples of the variables from the previous list.

Did you know? Base64 is used to safely carry data that has been encrypted, or stored, in a binary format over channels that usually only support text, like HTML and CSS.

Just like with adding your John Hancock to a document, your DKIM signature should be the last thing added to an out bounding message. Why? Modifications to an email’s content or its headers will alter its cryptographic hash (encoded information about the email content sent along with your encrypted key). Once sent, your DKIM signature – containing your encrypted private key– is validated by the recipient server.

What is a DKIM record?

A DKIM record is part of your DNS records. Its purpose is to store the public domain key(s) – string of randomly generated characters – you use for DKIM. A simplified way of looking at it is to say that a DNS record is a listing of a domain and its IP address, and the DKIM record is a TXT record within the DNS record that contains a key used for email authentication.

If you don’t set up a DKIM record with your personal domain information, some email providers, like Google Mail, use their own default DKIM in your messages. However, it is always best to create your own specific DKIM records. Specific, endorsed records make verification and troubleshooting easier for both sender and recipient.

Need to set up multiple keys for your domain? Use a DKIM selector to set up multiple delivery services from a domain, or to send from a subdomain.

What are DKIM record checks?

A DKIM record check is pretty much what it sounds like – it means that you’re validating DKIM records to ensure they’re correct. DKIM record checks are particularly useful if you’re sending emails via SMTP. SMTP protocols don’t automatically include these layers of authentication, making them more vulnerable to spam and email-based hacks than sending via API.

DKIM record checks show the domain used to sign the DKIM signature, and validate that the email was authorized by the domain owner. Curious how to verify a record? Try it out with this handy DKIM checker tool.

Why is DKIM important?

DKIM provides protection for the reputation of your organization and the integrity of its email program. It offers domain protection against phishing and “spoofing” scams, especially when used with DMARC and SPF. DKIM is difficult to spoof since it detects inconsistencies in email headers and other unauthorized changes.

What are the benefits of DKIM?

Additionally, DKIM boosts your reputation. Because your messages can be verified, they are more likely to be trusted and recognized. Knowing that your emails are secure helps recipients feel more comfortable when they’re in contact with you. This can lead to more two-way communication between you and your email list, and help strengthen relationships with your customers.

DKIM helps ensure deliverability. Without a DKIM signature and valid records, recipients’ SMTP servers are significantly more likely to block your emails and mark them as spam . Remember we said that SMTP doesn’t have built-in layers of authentication? Well, if you provide it you’re that much more likely to land in the inbox.

How to set up DKIM with Mailgun

Mailgun requires a verified DKIM key via DNS check before a domain can send from its platform. Keep your messages as secure as possible by customizing your key. Instead of using a provider’s standard DKIM, you’re prompted to set up verification details that are specific to your domain and are associated with your organization. This keeps your emails easily identifiable by recipients—and it keeps your DKIM records recognizable and changeable for you and your team.

Below is a step-by-step guide on how to customize your DKIM with Mailgun.

Verify your domain

Add a domain you own and verify it by setting up the DNS record we provide (this is the DKIM record) at your DNS provider. An example is below.

1. Add your domain or subdomain in the Domains tab of the Mailgun control panel, or via the API.

2. Choose your DKIM key length. Longer keys equal more protection from spammers.

Add your records

3. Open your DNS provider and add the DKIM TXT DNS record provided. This record can be found in the Domain Verification & DNS section of the domain settings page of the Mailgun control panel.

4. If you want Mailgun to track clicks and opens you can also add the CNAME record.

5. MX records should also be added, unless you already have MX records for your domain pointed at another email service provider (e.g., Gmail).

Once you’ve added the records and they’ve propagated, your domain will be verified. Note: it can take 24-48 hours for DNS changes to be verified.

Common DNS Provider Documentation

Common providers are listed below. If yours is not listed, contact your DNS provider for assistance:

Now you’re all set! If you get stuck, check out our documentation for more in-depth information on DKIM and step-by-step setup guides.

What you need to remember about DKIM and its usage

Why be vulnerable when you can be validated? DKIM is encrypted proof of your sender identity. It’s a useful tool that you can (and should) use to send email to your mailing list. By “signing” your emails, you signal that your organization is trustworthy.

DKIM offers your recipients protection from fraud, and boosts your sender reputation and deliverability rate by confirming your secure identify. It’s a small but crucial step – alongside other best practices, like cleaning and validating your email list – that strengthen your email program.

Need more help convincing mailbox providers you're really not a spammer in disguise? Learn more about email authentication, SPF, and DMARC, in our blog, and subscribe to our newsletter to stay in the loop.

Keep me posted! Get our news and tips every week.

Send me the newsletter. I expressly agree to receive the newsletter and know that I can easily unsubscribe at any time.

Related readings

The basics of SPF records

What are SPF records, and how can you use them to benefit your email program?

Read more

Email authentication: Your ID card for sending

Email Authentication lets ISPs know that who you are as a sender, and that your emails are coming from you and not a spammer — but what does that entail?

Read more

Implementing DMARC: A step-by-step

DMARC is not just a record, it’s a process of organizing your email program to keep spoofers from impersonating you. Follow these steps to get set up:

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon Mailgun Icon