Last updated: 5 April 2021

Like SPF records, DKIM records are used to check if an email was sent from a server that is allowed to send mail for a domain. However, the way in which this is done is quite different: DKIM uses a digital signature. Because outgoing emails are signed DKIM is also used to check if an incoming email was modified between the time it was sent and the time it was received.

How DKIM works

DKIM uses cryptography to sign emails. It is quite a complicated technology but it works roughly as follows:

  • The sending server uses a private key to add a digital signature to the header of outgoing emails.
  • A public key is published in the DKIM DNS record.
  • Receiving mail servers use the public key to check if the signature is correct.

DKIM has several advantages over SPF. For one thing, you don’t have to figure out which IP addresses should be allowed. And because DKIM uses signatures it also works with email forwarding. Plus, it adds the ability to check if an email was tampered with.

Have I got a DKIM record already?

If you are hosting your email with us and you are using our name servers then you probably already have a DKIM record, as the record is added automatically when a hosting package is created. You can check if your domain has a DKIM record via your hosting control panel. For instance, if you use cPanel then you can view all TXT records using the Zone Editor.

What a DKIM record looks like

A DKIM record is a TXT record that looks like this (I have shortened the record’s value for readability):

example.net.                 TXT       "v=DKIM1; k=rsa; p=MIIBI...DAQAB;"

The record’s value has three parts:

  • v=DKIM1 specifies DKIM version.
  • k=rsa indicates that the key has been created using the RSA cryptosystem.
  • p=MIIBI…DAQAB; is the public key.

DKIM in relation to DMARC

Like SFP, DKIM is used by DMARC to help combat spam and phishing.