How to Set Up DKIM to Prevent Spoofing and Spam

Mike Arsenault
July 20, 2021
minute read

Email authentication helps keep all of us safe from spam and email attacks. There are multiple email authentication protocols. Each protocol protects against a specific type of email forging.

Sender policy framework (SPF) authentication keeps malicious senders from spoofing emails and IP addresses.

DKIM authentication protects against emails that have been altered in transit by a bad actor between the sender and the recipient.

DMARC records establish rulesets for handling emails that fail SPF or DKIM authentication.

You need to use all three of these protocols to achieve the best email deliverability rates. Email service providers use these protocols to check email messages for all types of malicious email activity; spoofing, spam, and man-in-the-middle attacks.

Many receiving domains refuse or quarantine emails that don’t have all three authentication protocols. So, missing authentication protocols is about the same as a failed authentication check.

This means that you should configure your email authentication protocols before you begin warming up your IP address, since authentication failures can hurt your sender reputation.

This post is all about DKIM records—from the basics to creating them yourself—so you can get them setup and achieve the best deliverability rates.

What is a DKIM Record?

DomainKeys Identified Mail (DKIM) is an email authentication protocol which verifies that the organization delivering the email has the right to deliver that message.

DKIM authentication is designed to prevent spoofing—the act of deceiving an email recipient into believing that a malicious email message came from a legitimate sender. The DKIM authentication protocol also helps prevent spam.

Here’s how it works.

DKIM authentication is like lock and key security for your emails. When you use DKIM authentication, your emails are encrypted, and a DKIM signature is attached to the email header.

The DKIM signature in your email header is the lock, and your DKIM record acts as the key. Your DKIM record is published in your domain’s DNS records.

The digital signature contains information about where to find your DKIM record, which contains the decryption key. The receiving domain gathers the information about the location of the decryption key, and retrieves it from the sending domain DNS records.

If the DKIM signature is legitimate, the receiving domain retrieves the correct decryption key, decrypts the email, and delivers it to the inbox. If the DKIM signature is incorrect or missing, the sending domain won’t be able to decrypt the message. This is a DKIM authentication failure.

Without properly configured DKIM records, receiving email servers can’t verify that your emails truly originated from your or your ESP. Receiving domains usually reject or quarantine emails that fail DKIM authentication or that have no DKIM signature. So, improperly configured DKIM records decrease your email deliverability.

Here’s what to do if you’re not sure if your DKIM records are set up properly.

Email Deliverability: The Ultimate Guide to Keep Your Emails Out of the Spam Folder
View Guide

How to Create a DKIM Record

First, you need to find out the status of your DKIM records. It’s possible they may already be good to go, especially if you work with an ESP.

Use a DKIM checker to find out if your DKIM records are setup. Any one of these tools will check your email domain for properly configured DKIM records:

Like SPF records, DKIM records are text strings stored in TXT records. Your DKIM signature is unique to your domain. So, you’ll need to contact your domain administrator or work with your development team to generate a DKIM key.

DKIM keys typically look like this:

Image Source

DKIM keys always start with “r=rsa;” and end with “QAB.”

The key that your domain administrator gives you is your private key. This is the signature that gets attached to your email header.

You’ll also need to get the DKIM selector which identifies the DKIM key that the receiving mail server will use to decrypt your emails. It’s possible to have more than one DKIM key published in your DNS records. So, the DKIM selector is important for ensuring that your emails can be properly authenticated.

Your DKIM selector is formatted like this:

Image Source

The <selector> field specifies which DKIM key you’re using, and the <header domain> field is filled with your domain name.

Even if you only have one DKIM key on your domain, you’ll still need to use a DKIM selector.

Another DKIM key, the public key, is generated along with the private key for your email header. This key gets published in your DNS records. The public key is what the receiving email server retrieves and uses to decrypt your emails.

Image Source

Configuring DKIM Records

Next, you’ll need to work with your development team to attach the DKIM signature to your email header, and publish the DKIM key to your DNS TXT records.

The current accepted DKIM key size is 1024 bit. Your development team will probably be on top of it. But, it’s worth verifying. If you want to future proof your DKIM authentication, you can bump your DKIM key size up to something larger, like 2048 bit.

If you need to configure your DKIM records yourself, most ESPs have their own UI for configuring DKIM records and other email authentication protocols. This makes it fairly simple to setup DKIM and SPF records, and establish DMARC rulesets.

But, the process of configuring your DKIM records will vary, depending on your email service.

However, your domain administrator or development team often won’t even need to give you the DKIM key. They’ll just generate the key, and add the TXT record to your DNS zone file for you. Easy right?

Once your DKIM records are configured, you should check them again to ensure that your DKIM authentication is working correctly. Depending on your mail server, it can take up to 24 hours for your DKIM authentication to show as active.

Additionally, you should rotate your DKIM keys once a year. The decryption key is stored in your domain’s DNS records. So, it’s possible that a hacker could get the decryption key from your DNS records, and successfully spoof your email address.

If you have a good email service provider, they’ll often handle the DKIM authentication configuration. For example, Rejoiner audits the health of client email authentication setups, and works with their sending domains to ensure that all the email authentication protocols are properly configured according to current best practices.

Email deliverability plays a big role in maximizing the return from your email marketing. And email authentication is a major part of getting the best deliverability rates. Therefore, it’s critical to get all the authentication protocols configured correctly.

So, check all your email authentication, and ensure that everything is configured correctly. It’ll make your emails more profitable.

Did this post on DKIM records help you? Sign up for more posts just like this.

Learn more about email deliverability.

Or, Schedule a free strategy session to see how Rejoiner helps with your email authentication and improves deliverability rates.

Struggling with your email deliverability?
Get Help

Frequently Asked Questions


Mike Arsenault

Founder & CEO

For the last 10 years, Mike has worked with brands like Moosejaw, Hydroflask, Peak Design, Triumph, Hearst & Guthy Renker to provide the strategy & technology with which they use email to drive revenue growth. He's also the Founder of Rejoiner, a SaaS marketing platform built for ecommerce businesses.

Unlock the full potential of your email list