DKIM adds a secure signature to email senders of your domain to authenticate email sent from any users in your company and will improve email deliverability. DKIM is an industry best practice and is becoming the authentication standard that increases the security of your email domains. DKIM identified internet mail allows an organization to take responsibility for a message so that it can be verified by the recipient.
- Spend less time removing your domains from blocklists
- Spend less time working with users after they have fallen for phishing attempts
- Increase confidence that emails sent from your users are not fraudulent when signed the email via DKIM.
DKIM (Domain Keys Identified Mail) enables email providers that receive mail from your domain to verify whether or not messages from your domain are in fact authentic and not fraudulent. This level of email authentication is made possible through the use of public / private key encryption, digital signatures, and information stored in your domain's DNS. It is implemented not only on custom domain email hosting but also for mailing lists that send bulk email from a custom domain.
How does DKIM work?
When a message is sent from your domain or email address, it is ‘signed’ using the private key and various parts of the message header fields and/or message body. These parts are specified in the signature and allow you to send signed messages as the domain owner.
The receiving mail server of the email message can use the public key specified in your domain’s DKIM TXT record to validate the signature. This DKIM TXT record is added to the DNS records of the domain name. If the validation is successful, then the receiver can assume the message came from a legitimate sending domain. If the signature fails, then the receiver can choose whether or not to trust the message from the email servers.
Each domain will have its own unique DKIM key and signature.
For example when you set up DKIM and outbound mail is DKIM signed with DKIM selectors to pass DKIM authentication:
DKIM Record Host: <selector>._domainkey
DKIM Record Value: v=DKIM1; k=rsa; p=<encrypted key>
In addition to validating the original source of the message with a key to decrypt data, these signatures ensure that the message has not been altered in transit by any third party.
You can see this guide to implement DKIM on how to validate DKIM signature header via the admin control panel. Enabling Domainkeys Identified Mail (DKIM) and Sender Policy Framework is part of a best practice to securing your domain and reducing email spoofing while maintaining strong email security. Contact Support if you have questions about enabling SPF and DKIM on your email domains.
Looking to further secure email sent from your domain? Take a look at our guides for enabling SPF and DMARC on your domain.