DKIM is an email authentication protocol that can bring you higher open rates for your email outreach.
The added security DKIM offers increases your chances of landing in the inbox.
In this guide, we’ll provide all you need to know about DKIM:
DKIM means DomainKeys Identified Mail.
It’s an email security protocol that primarily checks if an email has been tampered with during transit.
Additionally, it verifies if the email sender is authorized to send from that sending domain, providing an extra layer of security and trustworthiness.
Authentication takes place through two cryptographic keys.
The first is the public key, which is part of your DKIM record, and the second is the private key only ESPs can access.
The sending email server adds a signature to any outgoing email, which the receiving server can validate using the DKIM record associated with the sending domain.
To understand DKIM better, read our articles on what DKIM is and on how DKIM works.
A DKIM record is a line of text you must add to your domain’s DNS records. It contains the public cryptographic key used for authentication.
The DKIM public keys are made available by your email server provider.
They normally have an option to generate a DKIM string/Public key.
You must then have to add that line to your domain provider’s DNS settings to create the DKIM record.
The complete record should look like this:
subdomain.yourdomain.com. | CNAME | uXXXXXXX.wlXXX.youresp.com
The first field is your DKIM selector, the second field is the DNS record type (CNAME in this case, but it can also be a TXT record), and the last part is the public key, which your provider supplied.
You need to set up your DKIM to:
DKIM reduces your chances of landing in spam because it confirms you're the real sender and not a spammer.
Setting up a DKIM usually starts with your email provider.
It’s there where you must generate the DKIM key.
The next step is to add the key to your domain DNS records. Every domain provider has a setting for this.
Once added, you can go back to your email provider's account and enable DKIM.
For more specific instructions check out our guide on how to easily set up a DKIM record.
It offers step-by-step guidelines for:
In DKIM, the email authentication "key" refers to a pair of cryptographic keys: a private key and a public key.
When your DKIM is correctly set up, the sending server signs the email using the private key.
When the email is received, the receiving server finds the corresponding public key in the DNS records of the sending domain and uses it to verify the digital signature.
If the signature is valid, it indicates that your email is legitimate and helps you avoid spam.
Yes, you can have multiple DKIM records for a domain.
This is often necessary if you use multiple email service providers.
Each provider will have its unique DKIM signature, and you'll need to add each one to your DNS.
Multiple DKIM records are typically used when you have different sending sources or third-party services that send emails on behalf of your domain. Each sender or service can have its own unique DKIM selector and corresponding record.
Here's how to set up multiple DKIM records:
1. Determine the Need for Multiple DKIM Records:
You might need multiple records if you're using various email services (like Mailchimp, SendGrid, etc.) or multiple internal sending systems, and you want each to have its own DKIM signature.
2. Choose a Selector for Each DKIM Record:
The selector is a string used to differentiate between different DKIM records in your domain's DNS. For example, if you use Mailchimp and SendGrid, you might choose selectors like Mailchimp and Sendgrid.
3. Generate the DKIM Keys:
Most third-party email services will provide you with the necessary DKIM information to set up your DKIM record. If you're setting it up internally, you'll need to use tools or software to generate the DKIM key pair.
4. Add DKIM Records to DNS:
With your selector and DKIM information in hand, you'll create TXT or CNAME records in your domain's DNS.
The name of the record typically follows the format: selector._domainkey.yourdomain.com.
The value of the TXT record will be the public key provided by the email service or generated by your tool.
5. Test the Setup:
After setting up the DKIM records, it's a good idea to send test emails to ensure they're being correctly signed and that recipients can validate the signatures.
6. Rotate and Maintain:
For security reasons, periodically rotate your DKIM keys. This involves generating new keys, updating your DNS records, and updating the sending service to use the new private key.
By following these steps for each sending source or service, you can maintain multiple DKIM records for a single domain, enhancing the deliverability and trustworthiness of the emails you send.
While both aim for secure email communication, their mechanisms and purposes differ. Both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are technical settings that help you verify your identity as a sender.
What's the difference in their purpose?
SPF ➡️ This method allows the domain owner to specify which servers are sanctioned to send emails for a domain.
DKIM ➡️ Using cryptographic signatures, DKIM ensures that an email is genuinely from the claimed domain and that its data remains unchanged in transit.
What's the difference in their mechanism?
SPF ➡️ The domain owner lists authorized servers in DNS using a TXT record. When the recipient's server receives an email, it queries this record to verify if the email came from an allowed server.
DKIM ➡️ The sending server appends a DKIM-signature header field to the email. This signature is a hash created using a private key. The recipient, or verifiers, retrieve the domain's cryptographic public key from the DNS to validate this signature.
What's the difference in their fields and selectors?
SPF ➡️ This method operates based on the "MAIL FROM" domain.
DKIM ➡️ The DKIM header contains several tags. One crucial tag is the "selector" (often called the DKIM selector), which helps the receiver locate the appropriate DKIM record in the DNS for signature verification.
What's the difference in their limitations?
SPF ➡️ It checks only the envelope sender, not the visible "From" header, potentially allowing some spoofing instances.
DKIM ➡️ While it verifies the integrity of the email content, it doesn't inherently specify which servers are authorized to send emails from the domain.
As you probably know, with just a DKIM record, your technical setup isn’t complete yet.
You also need to set up your:
A well-configured technical setup will help you stay out of the spam folder.
Use our email authentication checker to check if your authentication records are in order.
Finally, another must-do is email warm-up.
If your email address or sending domain is new, it lacks a good sender reputation to get acceptable open rates.
Email warm-up services like lemwarm warm up your email by gradually increasing sending volume and frequency.
All of lemwarm’s features have been designed to help you land in the inbox.