DomainKeys Identified Mail (DKIM) is an email authentication method which allows the recipient of an email to verify that the sender is actually the authorized owner of the domain and is not a spoofed email. This will help detect phishing attempts or spams whereby the sender uses a forged email address of an innocent party. The DKIM is configured in a TXT record in the DNS entries.
What is a TXT record?
A TXT record is short for text record. This type of record can be used to store any human readable information regarding a server, network, data center and other accounting information. DKIM also uses this TXT record to store the public key that is used to verify the email data.
Configuring the DKIM public and private keys
Below are the major steps required to enable DKIM in your emails:
- Choose a simple, user-defined text string, called the selector. This selector will later be linked to a public key.
- Generate a public-private key pair by using a tool such as ssh-keygen on Linux or PuTTYgen on Windows.
- Create a DKIM TXT record in the DNS entries to publish the selector and public key.
- Configure your mail server with the private key to enable sending emails with the DKIM token. You will need to refer to your specific mail server guide to do this.
Creating the DKIM entry in the DNS
Example of a DKIM entry below:
Replace the <your public key> with the public key generated in step 2 above. In our example, default is our selector.
Verifying the DKIM signature
Once the DKIM private key has been configured in your mail server, your outgoing emails should now carry the DKIM signature.
Example of a DKIM signature below:
c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR
When the SMTP server receives your email, it will use the domain name and selector to perform a DNS lookup for the TXT resource record type of default._domainkey.example.net. For our example, example.net is the author domain to be verified against while default is our published selector.
Meaning of the fields in the signature:
- v is the DKIM version,
- a is the signing algorithm,
- b is the hash of the headers and body,
- bh is the hash of the body,
- d is the domain,
- s is the selector,
- c is the canonicalization algorithm(s) for header and body,
- q is the default query method,
- l is the length of the canonicalized part of the body that has been signed,
- t is the signature timestamp,
- x is its expire time, and
- h is the list of signed header fields, repeated for fields that occur multiple times.
The TXT record returned from the DNS query will contain the public key which will then be used to decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail was signed by the indicated domain and has not been tampered with in transit.