DKIM Records

Table of Contents


DKIM stands for DomainKeys Identified Email. It provides a way to validate that an organization delivering an email has the right to do so.

Setting up DKIM

DKIM requires the addition of public keys into your DNS zone. The key is often provided to you by the organization that is sending your email, for example SendGrid, Postmark, or Google Apps. The key will either be inserted directly into your zone as a TXT record, or it will be a CNAME pointing to the key in your provider’s DNS.

If you’re given a string representing the DKIM, it usually looks something like this:

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB

Insert this into a TXT record. Do this by following the instructions for creating a record, selecting TXT as the record type, and entering the string you were given into the Content field.

Your provider will also give you a specific subdomain to use, usually something like:

something._domainkey

Enter this subdomain in the “Name” field.

If your provider gives you a fully-qualified name that ends with your domain name, DO NOT include your domain name in the “Name” field when you add the TXT record. If you’re given pm._domainkey.yourdomain.com, only enter pm._domainkey in the “Name” field.

Quotes and slashes?

If your provider gave you the DKIM record and it included double quotes around the record, or backslashes before semi-colons in the record, you may safely remove them. The quotes are handled automatically by our name servers, and the semi-colons will automatically be escaped if necessary.

Sometimes there will be forward slashes or other unusual characters in the DKIM record. Don’t modify those. If you have any questions or concerns, contact support.

Verifying your DKIM with dig

The dig tool is a good way to verify that your DKIM record is being returned correctly by our DNS servers.

To verify the DKIM record, query for the TXT record at the fully qualified domain name where the TXT record lives. For example, on the domain aetrion.com, you can get the TXT record using the following query:

dig +short google._domainkey.aetrion.com TXT

This will return a result like this:

"v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSd8zpsDz77ntGCR0X2mHVvkf0WEOIqaspaG/A5IGxieiWer+wBX8lW2tE4NHTE0PLhHqL0uD2sif2pKoPR3Wr6n/rbiihGYCIzvuY4/U5GigNUGls/QUbCPRyzho30wIDAQAB"

If no result is returned, verify that you added the TXT record with the correct subdomain. Remember the “Name” field in DNSimple should not include your domain name, otherwise you’d create a record at subdomain.yourdomain.com.yourdomain.com.

Verifying your DKIM with an online tool

Verify your DKIM with an online tool like this one from Treehouse. This tool verifies that you have SPF and DKIM records. In the DKIM selector field, just add the first part from the subdomain your DKIM is under. For example, if your DKIM is at google._domainkey.aetrion.com, then the DKIM selector is “google”.

Technical details

If you want to read more about the technical details of DKIM, head over to DKIM.org.