Domain Keys Identified Mail (DKIM) is one of the authentication methods used by mailbox providers to determine a sender's identity. The DKIM signature header field is a special header placed into each email message containing information about the sender, and the message required for verification. A mailbox provider collects sender data based on the DKIM signature as part of its method for establishing a sender's reputation and trustworthiness.
Here are the steps you need to take to properly set up DKIM:
- Inventory all of your sending domains
You need to know all of the domains you use to send email. Tracking all of them is an important step that often gets overlooked. Your organization may use different vendors for sending email on behalf of your company, such as marketing messages, customer service messages, and corporate email. You should set up DKIM records for all of the sending domains and subdomains these entities use for your email.
Return Path recommends using Reputation Monitor or Sender Score to make sure you don’t miss any domains. If you are using Sender Score, enter your domain to find Related Sending Domains or other domains that are sending email using your domain or brand, but you are not aware of.
You should also check with those that are in charge of customer service, client services, your internal IT email administrator as well as your Email Service Provider (ESP) to verify that they are signing your emails with DKIM.
- Install and configure DKIM on your email server
All outgoing email requires to be signed with DKIM, which means you need to install a DKIM package specifically for your email server. To verify your platform has available DKIM software, you can check DKIM.org's site, or check with your vendor.
If you use an ESP, work with them to set up your DKIM record.
- Create a public and private DKIM key pair
You should use a DKIM key wizard to create a public and private DKIM key pair. There are a lot of DKIM wizards, however, Port 25 is a good option.
Use Port 25 to enter your From Domain that you are authenticating and enter the selector name. We recommend you name the selector to be descriptive to the type of email you’re sending, such as marketing or newsletter. You should also standardize your selector names so you can easily track them. Also, due to DKIM specification, you need to make sure your key is 1024-bit or higher.
- Publish your public key
Once you use a DKIM wizard, you should be given a selector record. This record includes the DKIM subdomain that will store the public key which is a combination of the domain and selector name.
For example, domain.com with a selector of marketing will have the public key stored in marketing._domainkey.domain.com.
Store your public key in the TXT portion of that domain. You may need to work with your system administrator to publish this, or if you're using a hosted solution, most will allow you to set this up in their interface.
- Store your private key
Your private key is also generated by the wizard and will need to be stored according to where your DKIM package specifies.
- Configure your email server
You will need to do further configuration of your system to ensure DKIM is installed and working properly. Refer to the installation instructions for your particular server or consult with your email vendor.
If an ESP or hosting provider is implemeting DKIM on your behalf, they will handle the necessary server configurations to install DKIM.
If you have successfully configured everything on your system, you need to test it. You can do this by sending an email from your email server to email@example.com. Once you have done that, you will receive an email letting you know whether DKIM passed or failed, and a warning if your key is not strong enough.
DKIM implementations are unique to the technology being used, so the testing phase is important and should not be overlooked. One of the best ways to troubleshoot DKIM issues is to send a test email, review the results, make the necessary changes, and re-test.
Here is a link to the Port 25 tool mentioned in this article: Port 25