How to create a DKIM record (the right way)

Learning how to create a DKIM record might sound as exciting as watching paint try, but getting this right could make or break your email deliverability. A correctly set up DKIM record helps your emails reach the inbox and your recipients.

DKIM stands for DomainKeys Identified Mail, and it’s basically a digital signature for your emails. It tells receiving servers the emails are legitimate and not sent by an impersonator. 

Phishing attacks and email spoofing are rampant. DKIM helps prove you are who you say you are. It’s like showing your ID at a bar (but for your emails).

However, setting up your DKIM record can be easier said than done. Fortunately, we can help.

Below, we’ll show you how to create a DKIM record (the right way). No tech jargon overload, just clear steps to help your emails land where they should. We’ll cover the basics, show you how to set things up, and point out common mistakes to avoid.

What is a DKIM record?

A DKIM record is a special type of DNS record that contains a public key used to verify the authenticity of emails sent from your domain. Think of it as a unique signature that your domain attaches to every outgoing email.

How DKIM records work

Here’s a quick rundown of how DKIM records work:

1. When you send an email, your email server uses a private key to create a unique signature for that message.
2. This signature gets tucked into the email’s headers – kind of like a hidden watermark.
3. The DKIM record in your DNS contains the public key that matches your private key.
4. When your email reaches its destination, the receiving server looks up your DKIM record.
5. It uses the public key from your DKIM record to check if the signature in the email is valid.
6. If everything checks out, the email passes the DKIM test. If not, it might be flagged as suspicious.

It’s a secret handshake (of sorts) between email servers that separates the real emails from the fakes. 

How to create a DKIM record: step-by-step process

Now, let’s get into the nitty-gritty work of creating your DKIM record. Keep in mind — this process might vary slightly depending on your email service provider or DNS host, but the general idea remains the same.

1. Generate your DKIM key pair

First, you need to create a pair of keys: a private key and a public key. Your email server will use the private key to sign outgoing emails, while the public key goes into your DNS record for verification.

Many email service providers will generate this key pair for you. If you’re using a service like Google Workspace or Microsoft 365, they’ll handle this step. If you’re managing your own email server, you might need to use a tool like OpenSSL to generate these keys.

2. Choose your DKIM selector

A DKIM selector is like a label for your DKIM key. It helps receiving servers find the right DKIM record, especially if you have multiple DKIM keys for your domain.

Pick a simple, memorable selector. Something like “mail” or “key1” works fine. Just make sure it’s unique within your domain.

3. Create the DKIM DNS record

You’ll need to add a new TXT record to your domain’s DNS. The record will look something like this:

selector._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=your_public_key_here"

Replace “selector” with your chosen selector, “yourdomain.com” with your actual domain, and “your_public_key_here” with your public key.

4. Add the DKIM record to your DNS

Time to put your DKIM record where it belongs. Log into your DNS management tool (this might be through your domain registrar or hosting provider). Add a new TXT record and paste in the DKIM record you created in step 3.

5. Verify your DKIM setup

Last but not least, make sure everything’s working as it should. Use a DKIM checker tool to verify that your record is set up correctly.

Send a test email to an external address and check its headers. You should see a “DKIM=pass” result if everything’s set up right.

Best practices for DKIM implementation

Now, you know the general step-by-step process to create your DKIM record. Here, we’ll dive into a few more best practices that will keep your DKIM implementation effective and secure. Think of this as your DKIM maintenance checklist:

• Use strong keys: Go for a key length of at least 1024 bits. 2048 bits is even better. Bigger keys are harder to crack, keeping your emails more secure.
• Rotate your keys regularly: Don’t let your keys get stale. Swap them out every 6-12 months. It’s like changing the locks on your house — it keeps the bad guys guessing.
• Implement multiple selectors: Having more than one selector allows for smooth key rotation. You can phase out the old key while introducing the new one, without any downtime.
• Align your DKIM domain with your “From” address: Make sure the domain in your DKIM signature matches the domain in your “From” address.
• Test, test, and test again: After any changes to your DKIM setup, send test emails and verify that DKIM is still passing.
• Monitor your DKIM reports: Keep an eye on your DKIM performance through reports. They can alert you to any issues before they become big problems.
• Keep your private key private: This might seem obvious, but it’s worth repeating. Your private key should be as well-guarded as your bank account password.
• Use DKIM in conjunction with SPF and DMARC: DKIM is great, but it’s even better as part of a complete email authentication trio. SPF and DMARC work alongside DKIM to provide comprehensive protection.

DKIM (and email authentication, in general) isn’t a one-and-done deal. It’s an ongoing process to keep your email communications safe and secure.

Common mistakes to avoid when creating DKIM records

Creating DKIM records isn’t rocket science, but there are a few pitfalls that can trip you up. Consider this your “what not to do” guide for DKIM implementation.

• Forgetting to escape semicolons: If your public key contains semicolons, make sure to escape them with a backslash. Otherwise, your DKIM record might break (and nobody wants that).
• Using the wrong key type: Make sure you’re using the public key in your DNS record, not the private key. Mixing these up is like giving out copies of your house key to strangers.
• Incorrect formatting: DNS is picky about formatting. Make sure your DKIM record is one continuous string without any line breaks. Even a tiny formatting error can render your DKIM useless.
• Neglecting DNS propagation time: After you’ve added your DKIM record, give it some time to propagate. Don’t panic if it doesn’t work immediately — DNS changes can take up to 48 hours to fully spread.
• Ignoring DKIM for subdomains: If you send emails from subdomains, they need DKIM too. Don’t leave your subdomains as the weakest link in your email authentication chain.
• Forgetting to enable DKIM signing: Setting up the DNS record is only half the process. Make sure DKIM signing is actually enabled on your email server or through your email service provider.

Troubleshooting common DKIM record issues

Sometimes, you’ll run into a few issues when creating your DKIM records. Don’t panic — there’s usually a logical (and easy to fix) reason for these hiccups. Here are a few of the most common issues we see and how to fix them:

• DKIM authentication failing: If your DKIM checks are coming back as “fail,” first check your DNS record. Make sure it’s formatted correctly and the public key matches the one your email server is using.
• DNS propagation delays: Sometimes, your DKIM record might be correct, but it’s not working because DNS changes haven’t spread everywhere yet. Give it up to 48 hours.
• Selector mismatch: Double-check that the selector in your DNS record matches the one your email server is using. It’s easy to mix these up, especially if you have multiple selectors. It’s like trying to open your front door with your car key — close, but no cigar.
• Key length issues: If you’re using a key that’s too short (like 512 bits), some receiving servers might reject it. Upgrade to at least 1024 bits, preferably 2048.
• Incomplete DKIM string: Make sure your DKIM record includes all necessary parts: v=DKIM1, k=rsa, and p=your_public_key.
• Line breaks in DNS record: If your DNS record has any line breaks, it can cause DKIM to fail. Make sure it’s all on one line.
• Incorrect domain in DKIM signature: Double-check the domain in your DKIM signature matches your sending domain.
• DKIM not enabled on email server: Sometimes, the DNS record is perfect, but DKIM signing isn’t turned on at the email server level. Check your email server or service provider settings.

Automate DKIM (and SPF and DMARC) with Valimail

Creating and managing DKIM records can be a time-consuming headache, but it doesn’t need to be. Valimail can help streamline and automate the process for you.

We handle DKIM, SPF, and DMARC, so you don’t have to sweat the technical details.

Here’s how Valimail helps:

• Automatic DKIM management: No more setting calendar reminders or worrying about outdated keys. We handle it all behind the scenes.
• Multi-vendor support: Using multiple email services? No problem. We’ll manage DKIM across all your vendors.
• Real-time monitoring: We keep an eye on your email authentication 24/7, so you don’t have to.
• Easy troubleshooting: If something goes wrong, we’ll let you know what the issue is and how to fix it. No more digging through cryptic error messages.
• Streamlined compliance: Meeting email security standards becomes simple and easy.