Skip to content

What Is DKIM and How to Set It Up

Digitally signing outgoing e-mail messages using DKIM is a way to reduce spam, as well as increasing the credibility of e-mail communication.

Principle

It works on the principle of asymmetric cryptography, where the hash of the outgoing message's body is encrypted using a private key and attached to the message. Recipient's server then decrypts this hash using the public key located in a DNS record and compares it with the hash of the incoming message, which it calculates itself. If both hashes match, it is clear that the message indeed came from a trusted sender and has not been modified in any way. If not, such an e-mail may be penalized or rejected, depending on the settings of the antispam filter.

Configuration

There are basically two ways to deploy DKIM on a managed server.

The first option is to sign all outgoing messages with a single key created for one domain. The advantage of this solution is less configuration and only having to set up a single TXT record for one domain. Since the DKIM signature also includes the domain name, where the public key is stored, even if the sent e-mail comes from a different domain than the one used to sign it, it poses no problem. Such e-mail will also have a valid DKIM signature and will be succesfully verified. Although, some authentication systems may trust it slightly less compared to using the second solution described below.

The second option is to set up a separate key for each domain used for sending emails from the server. That means, you need to generate a signing key, configure signing and set up a TXT DNS record with the public key separately for each domain. This solution is more time-consuming and administratively demanding, but slightly more trusted.

Both of these solutions can be combined. The server can sign several of the most important domains with dedicated keys and the rest with a shared one.

When sending a request to technical support for the deployment of DKIM, it is necessary to carefully think about which variant you want to use. Once the server configuration is ready and the keys have been generated, we will set up the TXT record with the public key for the relevant domain. If the domain is not managed by us, we will pass you the public key for deployment. The signing of outgoing messages is activated when the TXT record with the DKIM key is deployed and available upon DNS request.