DKIM records explained

Consider this scenario. You pack a set of cookies for your friend and send it through a delivery service. They receive the package only to find them half-eaten and the box mostly empty. Frustrating and scary, right? You can always bake a fresh set for your friend. But, what if you have to send a smaller package through a vast network, passing through numerous checkpoints, with no way for you to track its every movement while ensuring that no one has opened it in transit? On any given day, you’ll be sending out numerous such packages—i.e., emails—hoping that they get through.

Instead of having hope as your only aid, you can take action by adopting practices that ensure your emails get through safely. One such mechanism that ensures that your emails aren’t altered in transit is Domain Keys Identified Mail (DKIM). It involves signing your email with a key, which can then be verified by the recipient to make sure it hasn't been changed. DKIM works in tandem with two other authentication protocols in giving complete protection for the emails sent out from your domain.

What is DKIM?

DKIM is used to determine if the contents of your email have been modified in transit. This is done using a mechanism called public key cryptography. DKIM essentially ensures that the sending domain isn’t being spoofed to send unwarranted emails. This is done using two keys, a public key and a private key.

The sender signs the email with their private key, and also publishes a DKIM record (i.e., TXT) in their DNS server. This TXT record contains the public key, which can be retrieved by the receiving server to validate the email.

Why should I add DKIM

DKIM, or any other authentication mechanism, helps make the work of spammers harder, preventing your domain from being used for spoofing or phishing activities. DKIM helps you with the following:

• It helps the receiver check if the contents of the emails have been tampered with or altered in transit. This way, it helps check for email frauds.
• DKIM doesn't verify the sender's identity, rather it authenticates the sender's domain. So, if someone impersonates your domain to send emails, it won’t have the private key signed, which will make it fail the DKIM authentication.
• DKIM also reduces spam and ensures your emails are delivered to the inbox. This will boost your sender reputation as a valid source and, in turn, your deliverability.

What does DKIM look like?

There are two components of DKIM:

• The DKIM signature.
• The public key that’s published by the sender.

The DKIM signature is the encrypted hash value of the contents and headers of an email. This encryption is done using the private key available with the sender. You can view this signature in any email you receive. Depending on the email client you use, by selecting Show original or View raw message a typical DKIM signature looks like this:

• V = This tag denotes the version of the DKIM signature used.
• A = This contains the algorithm used to generate the DKIM signature. The commonly used algorithms are rsa-sha1 or rsa-sha256.
• C = This canonicalization indicates how the components were prepared for hashing. There are two methods - simple or relaxed.
• D = Indicates the domain from where the DKIM public key is to be fetched from.
• S = The selector that’s used to fetch the correct public key for the domain.
• Bh = Hash of the canonicalized part of the email body.
• H = The header data that has been included in the signature.
• B = Cryptographic signature of all the information that precedes the DKIM signature. This is treated as an empty string.

This signature will be added to all outgoing messages from your server, which will then be evaluated by the receiver.

Next, let’s look at the public key that the sender publishes in their DNS records. If you’re using an email service provider like Zoho ZeptoMail, you can generate the public key directly from your account. Otherwise, you can use online tools to generate your DKIM signature. The key looks like this:

• K = Denotes the type of key that’s being used. Rsa is the default type.
• P = The public key used to decrypt the message.

How does DKIM work?

Consider this example of a transactional email being sent from your application. This is how DKIM is used to secure your email.

• Say you use an email service provider (ESP) like ZeptoMail to send out your transactional emails. When an action is performed on your application and an email is triggered, the ESP converts the contents and the header of the email into a hash value.
• The ESP then signs the email using the private key generated, which becomes the DKIM signature.
• Meanwhile, you should publish the public key for your domain in your DNS records.
• On receiving the email, the recipient server will look for the DKIM signature, and using the "d" and "s" elements, will find your public key from your domain.
• The receiving server will then decrypt the signature and build its own canonicalized copy using the algorithm and data available in the signature. This copy doesn’t replace the original content.
• This will be compared with the hash values available. If they match, DKIM is said to pass. Otherwise, it’s a fail, and the email will either be sent to spam or rejected.

You can check if you have configured DKIM properly by sending a test email to yourself. In the expanded header of the received email, you’ll be able to view the status of the DKIM authentication.

DKIM in ZeptoMail

DKIM is one of the important steps in authenticating the domains you add to your Zoho ZeptoMail account, along with SPF. Domain authentication is essential to start sending your emails, as it helps legitimize your domain and reduce spam instances. This mandatory step ensures that your domain reputation is intact and your transactional emails reach your recipients on time.