DomainKeys Identified Mail (DKIM)

Internet standard. An domain-based email authentication protocol that helps ISPs better identify legitimate email senders. RFC 6376 defined this standards and RFC 8301, RFC 8463, RFC 8553, and RFC 8616 updated it.

To verify the authenticity of an email message, DomainKeys Identified Mail (DKIM) signs email headers with public-key cryptography. The DKIM signature prevents bad actors from impersonating a legitimate domain.

DKIM implementation

To implement DKIM, you follow these steps.

Using your email provider, generate a DKIM key pair. If asked, provide the following parameters
- selector: A unique identifier for the key.
- key size: The cryptographic strength or size of the key in bits (1024 and 2048 are common).
Copy the public key.
Create a TXT DNS record.
- Set the record label to <selector>._domainkey.<domain>.
- Set the record value to the signature, outlined in the DKIM record format.

To verify the authenticity of a message, the TXT record contains the public key that receiving mail servers use.

DKIM record format

An DKIM record resides as the value of a DNS TXT that resemble the following:

DKIM DNS TXT record

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2SyMwR5MGHpP9dNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB

The TXT record value must adhere to the following standards:

It must follow RFC 1035 3.3.14 format for DNS records.
It can't exceed 512 bytes.

Tag	Necessity	Meaning	Format	Default value	Note
`v`	Recommended	version		`DKIM1`	If present, must be the first tag.
`h`	Optional	acceptable hash algorithms		`all`
`k`	Optional	key type		`rsa`
`n`	Optional	human-readable administrator notes
`p`	Required	public key data	base64 encoded		If the public key has been revoked, this can be empty.
`s`	Optional	service type		`*`
`t`	Optional	toggle flags	colon-separated list	`none`	Can include `y` to test DKIM without rejecting failed signature verifications, `s` for subdomain strictness, or both

DKIM in email header

With DKIM turned on, an DKIM-Signature header gets added to each email message.

DKIM-Signature header

1DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
2     c=relaxed/simple; q=dns/txt; i=foo@eng.example.net;
3     t=1117574938; x=1118006938; l=200;
4     h=from:to:subject:date:keywords:keywords;
5     z=From:foo@eng.example.net|To:joe@example.com|
6       Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700;
7     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
8     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Tags in DKIM-Signature

Tag	Necessity	Purpose
`v`	Required	version
`a`	Required	signing algorithm
`d`	Required	Signing Domain Identifier (SDID)
`s`	Required	selector
`c`	Optional	canonicalization algorithm(s) for header and body
`q`	Optional	default query method
`i`	Optional	Agent or User Identifier (AUID)
`t`	Recommended	signature timestamp
`x`	Recommended	expire time
`l`	Optional	body length
`h`	Required	header fields - list of those that have been signed
`z`	Optional	header fields - copy of selected header fields and values
`bh`	Required	body hash
`b`	Required	signature of headers and body

The recipient email server requests verification at the DKIM DNS record. It decodes the t value in the header and compares it to the p value in the DNS record. If it matches, nothing happens using DKIM alone. DMARC handles that.

DKIM in Twilio SendGrid

To improve your email deliverability, Twilio SendGrid turns on DKIM for all email on shared or dedicated-ip IP addresses.