Your DKIM record is usually configured within DNS for your domain by your company’s IT professional or email administrator, your web hosting company, or your Email Service Provider (ESP), if they have authority over the sending domain.
The DKIM DNS record is made up of different informational elements that are represented by the use of tag=value pairs. The tag is usually a single letter followed by an equal sign (=). The value of each tag indicates a specific piece of information about the sender and public key.
There are numerous tags available to a sender; some tags are required and other tags are optional. Missing a required tag in the DKIM DNS record leads to a verification error with the mailbox provider while missing an optional tag does not.
Tags that are included in the DKIM DNS record but do not have a value associated with them are treated as having an empty value. However, tags that are not included in the DKIM DNS record are treated as having the default value.
DKIM DNS record example
<selector(s=)._domainkey.domain(d=)>. TXT v=DKIM1; p=<public key>
- s= indicates the selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender. s= is included in the DKIM signature.
- d= indicates the domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender. d= is included in the DKIM signature.
- p= indicates the public key used by a mailbox provider to match to the DKIM signature.
Here is what the full DNS DKIM record looks like for Returnpath.com:
dk1024-2012._domainkey.returnpath.com. 600 IN TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV;"
- The selector (s=): dk1024-2012
- The domain (d=): returnpath.com
- The version (v=): DKIM1
- The public key (p=): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV
- p= is the public key used by a mailbox provider to match to the DKIM signature generated using the private key. The value is a string of characters representing the public key. It is generated along with its corresponding private key during the DKIM set-up process.
Recommended optional tags
- v= is the version of the DKIM record. The value must be DKIM1 and be the first tag in the DNS record.
- t= indicates the domain is testing DKIM or is enforcing a domain match in the signature header between the "i=" and "d=" tags.
- t=y indicates the domain is testing DKIM. Senders use this tag when first setting up DKIM to ensure the DKIM signature is verifying correctly. Some mailbox providers ignore a DKIM signature in test mode, so this tag should be removed prior to full deployment or changed to t=s if using the "i=" tag in the DKIM signature header.
- t=s indicates that any DKIM signature header using the "i=" tag must have the same domain value on the right-hand side of the @ sign in the "i=" tag and the "d=" tag (i= email@example.com). The "i=" tag domain must not be a subdomain of the "d=" tag. Do not include this tag if the use of a subdomain is required.
- g= is the granularity of the public key. The value must match the local-part of the i= flag in the DKIM signature field (i= firstname.lastname@example.org) or contain a wildcard asterisk (*). The use of this flag is intended to constrain which signing address can use the selector record.
- h= indicates which hash algorithms are acceptable. The default value is to allow for all algorithms but you can specify sha1 and sha256. Signers and verifiers must support sha256. Verifiers must also support sha1.
- k= indicates the key type. The default value is rsa which must be supported by both signers and verifiers.
- n= is a note field intended for administrators, not end users. The default value is empty and may contain a note that an administrator may want to read.
- s= indicates the service type to which this record applies. The default value is a wildcard asterisk (*) which matches all service types. The other acceptable value allowed is the word "email" which indicates that the message is an electronic mail message. This tag is not the same as a selector record. It is intended to constrain the use of keys if DKIM is used for other purposes other than email in the future. If used, it is included in the DKIM DNS TXT record and not the DKIM signature. Should other service types be defined in the future, verifiers will ignore the DKIM record if it does not match the type of message sent.
Any tags not specified in RFC 6376 are not part of the DKIM protocol and should be ignored during the verification process. Not all mailbox providers ignore unrecognized tags, so you might see an error during the verification process.