DomainKeys Identified Mail (DKIM) is a standard for email authentication supported by companies such as Google, Yahoo, etc. The purpose of this standard is to authenticate emails using Public Key Infrastructure (PKI). DKIM performs this authentication by adding a digital signature to the header of email.
Difference of DKIM and SPF
Sender Policy Framework(SPF) mechanism uses SPF records to specify a list of authorized hosts/IP addresses that are allowed to send email from a specific domain (authorization). Whereas, in DKIM mechanism a digital signature is added to the header of email, which is used to verify the identity of the email’s sender (authentication).
Sometimes, while transferring an email from source to destination a server on the route blocks a part of the email, which can lead to a failed SPF validation. But in DKIM, the digital signature is added to the header of email and even in above scenario, the authentication will be successful. Although, it must be noted that in such cases, if only a SPF record is defined for the domain, the destination server will mark the received email as spam.
A brief summary of DKIM functionality
The email server that has the DKIM activated (signing server) produces both private key and public key, and publishes the public key via a DKIM record.
When sending an email, this server would pick the header and a part of the body of the email and calculates its hash. Then uses the private key to encrypt this hash value (signing). This encrypted value is called the signature. Finally, this signature is added to the email as DKIM-signature header, before sending the email.
When the signed email reaches the destination server (verification server), the server will check the header to find a DKIM-signature. If such header exists, it will go to DNS server and uses the public key that is published via DKIM record to decrypt the email. If the decryption is successful, the email is accepted; otherwise, it would be marked as Spam.
The format of DKIM record
The DKIM record is a text string similar to the following example:
This string can include several tags, including:
⦁ v: specifies the version of the DKIM protocol. So far, the only version of this protocol is DKIMv1.
⦁ h: specifies a list of mechanisms that can be used for hashing.
⦁ q: specifies the default query method
⦁ l: specifies the body length restrictions
⦁ k: specifies a list of mechanisms that can be used to decrypt the DKIM signature.
⦁ p: specifies the public key
Settings of DKIM record in user panel of ArvanCloud
In order to set a DKIM record for your domain
⦁ Go to User Panel -> CDN -> DNS
⦁ In DNS Settings set the record type to TXT and title to @.
⦁ Click on value box. Enter the value of DKIM record that is provided to you by your email service provider (such as mailgun or G suite).
⦁ Finally, set the TTL to appropriate value and click Plus icon to save the record.
Practical example: Sending email via mailgun.org
After setting up your email service at mailgun, this service will provide you with your DKIM record.
You just need to enter this string as the value of your DKIM record in DNS settings. You can refer to the documentation of mailgun for more information.