How does DKIM record work?

Every day, spam is more present, annoying, and dangerous! It’s not only about an undesired bunch of messages taking your inbox space. Nowadays, opening the wrong message and clicking its images or downloading its files could be like opening Pandora’s box! Phishing attacks, malware, and all sorts of scams could be attached to it.

What is the DKIM record?

DKIM record or DomainKeys identified mail is a security standard for domains to sign outgoing e-mails through cryptographic authentication. This way, domains can demonstrate the e-mails sent from their side are legit. Therefore they can be trusted. Besides, the DKIM record secures messages to avoid being altered while they are in transit (sending server-recipient server).

Benefits of DKIM record

How does DKIM record work?

Easily explained, the DKIM record works by including a digital signature on the e-mail’s header. That signature allows the e-mail’s validation through the use of a cryptographic public key. This last can be found in the domain’s DNS record.

Let’s go a bit deeper into the process.

You own or administrate a domain, so you have access to the DNS records. First, you publish the cryptographic public key strictly formatted as a TXT record. Publishing it is required for recipients to have access to it when they need to verify the authenticity of the message’s sender.

Then, a DKIM signature will be generated and attached to the e-mail header whenever a message gets sent by your mail server. The digital signature is a hash value, a unique textual line or sequence that is encrypted by the private key. This private key must be kept secret. Only you (owner or administrator) must have it.

DKIM record supports multiple algorithms for creating the digital signature. Details related to the signature’s creation are registered in the header of the e-mail. And two cryptographic hashes are included. One is related to the body of the message, and the other to the defined headers. 

Then the sent e-mail is gotten by a receiver mail server, which starts a DNS request to look for the necessary public key of the sender domain to validate the message. The public key can be accessed from the domain’s DNS zone. 

If you want to learn more about DNS zone, check out the following page about DNS terms every beginner should know.

Once found, the receiver server can detect and decrypt the signature. Its primary hash values will be compared with the values contained in the e-mail itself. If there’s a match between the values, the e-mail will be authenticated. Meaning, it’s legit, and it was not altered in transit. Its reception doesn’t mean danger for the recipient. 

DKIM record key sizes.

The size of the keys matters! Short RSA (Rivest-Shamir-Adleman, public key cryptosystem) keys fall easier during offline attacks, so signers require 1024-bit RSA keys as a minimum for long-lived keys. To validate signatures, verifiers must use keys that range between 512 bits and 2048 bits. In fact, verifier policies should use the signing key length as a metric to determine if a signature is acceptable.

Different factors intervene when defining the key size:

  • The larger the key, the higher CPU costs for signing and verifying e-mails.
  • Large keys might not fit within a 512-byte DNS UDP response packet.
  • Smaller than 1024 bits keys are prone to offline attacks.


Don’t let your guard down! DKIM record is a great security ally to protect e-mailing. Sending e-mails is a constant and needed practice for businesses to communicate with clients and their own employees. Enabling this record, it’s a smart decision you won’t regret! 

Leave a Reply

Your email address will not be published. Required fields are marked *