DKIM: Land Your Emails Right In The Inboxes Of Your Customers
Table Of Contents
With Clickable Navigation
How does DKIM work?
When an organization is preparing to send emails to its customers, it will sign the messages with a special signature. The receiver can use the signature for verification purposes. This makes it easier for the receiver to identify fake messages and ignore them.
Some email service providers such as Gmail and Yahoo! check an incoming email for a DKIM signature to enable them to identify the sender. When an email gets to the mail server, it will go through the DKIM header and check whether it is valid or not. The verification process involves the following:
- Going through the DNS of the domain that sent the message to get its public key.
- Using the public key to decrypt the signature. The internet service provider can determine the source of any message through the signature it decrypts.
Using the signature with your messages will boost your sender reputation. The mail server is able to verify your identity and show your target audience that you are a credible and trusted sender. This will have a positive impact on your deliverability through better message delivery.
What is a DKIM signature?
A DKIM signature is a special header you put in messages when you are sending them out. The header contains some special information that the email receiver will use to know the source of the message. The receiver will check your DKIM key and use it to check the signature.
This is an example of a signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
There is a lot of information in the header. From the example, there are a couple of tags with their values in the header.
Some of the headers are:
“d=” that represents the signing domain
“b=” the digital signature
“bh=” a hash
Although each message has its special signature, each signature in the header must contain the elements above.
You create the DKIM when you sign your email with your digital signature. The signature will be in your message header. Your mail transfer agent will use a special algorithm to create the signature that you will add to the signed fields. The special signature is the “hash value.”
After generating the signature, the MTA will store the public key used for generating the signature in a listed domain. After the receiver MTA receives the email, it will use the DNS to get the public key used by the signer to verify the signature. It will then decrypt the hash value found in the email’s header with the key. It will calculate the hash value for the received message while decrypting the hash value.
If the signature-generating key and the public key from the message sender match, it means that the message hasn’t changed. This convinces the receivers of the credibility of the listed domain that sent the message.
What are DKIM Records?
DKIM uses DNS TXT record that is in a unique format. When DKIM creates a public/private key pair, it will add the public key to the DNS of your domain.
If you have different domains for sending email messages, you can keep a record of all these domains. This is the DKIM record. Each pair of keys has a special selector to make it easier to renew the DKIM records or make changes to them when necessary. The selector also makes it easy to identify the source of a record and do whatever you wish with it.
There are two types of DKIM records. These are:
- Policy record, which is a record of information about the DKIM’s policy. It also contains your email addresses. A DKIM must have one policy record.
· DKIM DNS record, this represents the public signing key. It is the long string of special characters in the record. A domain can have more than one record if it has several servers with their own private keys for signing emails.
Configuring DNS Records for DomainKeys / DKIM
A basic need for a functional DKIM is to configure DNS records for it. Your email provider will give you the public keys you can add to the DNS during the configuration to get it running efficiently.
You can do the configuration in two simple ways:
- Insert the keys as a record in TXT format into your DNS.
- Use it as a CNAME that points to the key in the DNS of your provider.
Your provider will give you the DKIM string that looks like an encrypted message. Add this message into a TXT record while creating a DNS record.
While you are creating the record, you will have several options to choose from. Choose the appropriate option, TXT or CNAME, from the record type options. In the “Content” field, enter the string in the field.
Apart from the string, you will also get a specific sub-domain from your email provider. It may come in this form: my._domainkey.
Check the “Name” field and enter the special sub-domain in it.
If you receive a sub-domain with your domain name at the end, don’t add your domain name when adding the TXT record in the “Name” field. For instance, if you receive my._domainkey.mydomain.com, remove the .myname from the string and enter my._domain only in the “Name” field. Once you do this, you have successfully completed the configuration.
Another thing you could do is ask your hosting provider for help. They will handle the configuration on your behalf.
Dig: A great tool for DKIM verification
Once you are through with configuration, the DNS server should record your DNS record in a perfect order. This is necessary for your record to work smoothly. If you wish to know whether the DNS server returned your DKIM the way it should, you can do the verification with dig.
To start the registration process, check the domain name holding the TXT record and send a query for the record.
For instance, if your domain name is mydomain.com, send this query to retrieve the TXT record
Dig +short google._domainkey.mydomain.com TXT.
A successful verification process will give you a result in this format:
If the verification process returns no result, the configuration process may have some flaws. Do another verification exercise to check whether you used the correct sub-domain while adding the TXT record.
For example, if you enter your domain name in the “Name” field in the DNS, that will generate a problem and won’t return a result.
Does DKIM Filter Email?
DKIM verifies a message’s sender only, it doesn’t filter emails. Nonetheless, DKIM’s usefulness doesn’t stop at message verification only. The email server can still use the information from the DKIM during a verification process. The information will assist it to support the efforts of the filter that the receiving domain is using for filtering messages.
For instance, if a trusted domain sends an email and the DKIM can verify the source of the message, the domain will be regarded as a credible source. The email server will deliver its messages to its recipients and won’t treat messages from the domain as spam.
If there is no way of verifying the DKIM signature of the email because it is a fake email or for any other reason, the DKIM will pass the message as email spam. In that case, the server will add a spam tag to the email’s subject line to warn receivers not to trust the email. Otherwise, the server may quarantine the mail.
For instance, GMAIL doesn’t deliver email messages from some organizations to their subscribers. This occurs if the email provider cannot verify the DKIM signature of the organizations. A host of other internet service providers do the same. This is a measure put in place to reduce cases of phishing.
How Can I Test My DKIM?
Before you start sending email messages out to your subscribers, you can test your DKIM signature to see whether it is working or not. A great way to test things out is sending an email from your domain to a verified Gmail account. That will give you a clue into how good your DKIM signature is.
This is how to test your DKIM through GMAIL:
- Open Gmail web app.
- Open an email in the app.
- Beside the “Reply” button, there is a down arrow, click it.
- Select “Show original” from the option.
- If you find “signed-by: your domain name” in the original section, you have a good DKIM signature.
Is your DKIM Verification Successful?
A successful DKIM verification is proof that you got the verification process right. The simple steps below will help you to check whether your DKIM verification is successful or not.
- Login to http://dkimcore.org/tools/keycheck.html
- In the “Selector” field, enter “ms”.
- In the “Domain name” field, enter your domain name. Don’t add “www” to your domain name when entering it.
- Click the “Check” button.
- Enter your DKIM key and check its validity and value.
- The Control Panel page contains an “Account” button, click it.
- A menu will appear, click the “Sender” option.
- If you want to check the DKIM key of a particular sender’s email, click on the email address.
- The “TXT record value” area will contain the key you want to check, check it there.
What Do the Results of My Email on Acid DKIM Test Mean?
When you conduct a DKIM test, there are several possible results. They are:
- pass = This is the result you get when everything works well. In this case, the sender signed the message, the signature was acceptable and passed the test.
- fail = the sender signed the message, DKIM accepted the signature but the signature didn’t pass the test. This means that the signature in the message is correct but didn’t match the sending domain’s signature. This may mean that someone changed the message before it got to the server.
- none = The message doesn’t have a DKIM signature. This is different from failing. This may be due to an error of omission.
- policy = The message has a signature but the signature is not acceptable.
- neutral = the message has a signature but there are errors in the message. Thus, the test cannot process the signature. This may be that the sender did not form the signature very well because the sending domain contains some configuration error.
- temperror = the test can’t verify the message. This may be to some temporary error such as the test cannot get the public key. Since the error is temporary, the test may be able to verify the message if it checks the message a second time.
- permerror = The test can’t verify the message due to some permanent error. For instance, the header field may be absent. Even if it tests the message several times, it may be unable to get a specific result. In this case, the entire signature or some part of the signature was missing when the receiver received it, which may be responsible for the failure. This may mean that you didn’t write the header correctly or someone changed it after you sent it.
These are the likely results you will get when you conduct this test. From the message, you will understand what the problem is, if there are any.
How Important is Authentication and Sending Reputation?
Have you ever wondered why it is important that you verify your message? What impact can your reputation have on your email deliverability?
Sender reputation is a score that Internet Service Providers will give you based on the number of emails you have sent out. Several factors determine your Sender Reputation. This includes spam complaints rate, bounce rate, and the number of unsubscribed members you have on your mail list.
The email server handling your emails separates email messages from each other. The server determines good and bad messages by using the factors above. If the figures for these factors are high, you will get a bad sender reputation while low figures will give you a good sender reputation.
If you have high bounce issues, this implies that something is wrong with your email list. It shows that you either bought the list or have not taken the time to clean the list to get rid of inactive members. To reduce high bounces, avoid buying an email list and always do a routine check to remove inactive emails from your list.
Remove people who have unsubscribed from your list immediately. Stop sending messages to them the moment they click the “unsubscribe” button. Such people tend to consider unsolicited messages as spam. If you continue bothering them with messages, they may hit back and report you as a spammer.
If you have an impressive sender reputation, it will rub off on your deliverability. Your email messages won’t end up in people’s spam boxes but right in their inboxes. If your sender reputation is bad, your email will end up as spam or flagged before it reaches the recipient. That’s bad for business.
Email verification is also an important part of running a successful online business. Considering how fast email phishing attacks are increasing daily, it is crucial that you find a way to be different from others. That’s what DKIM does for you.
Some other benefits of email verification include:
- You will have fewer spam complaints
Spam complaints can damage your reputation beyond repair. To become a successful brand, your spam rate should be very low. If you have a good email verification culture, your audience won’t have cause to mark your messages as spam. When users can identify your brand as trustworthy, they won’t have reasons to complain about it.
- Better deliverability
The increasing rate of spamming is a turn off for many subscribers. They have developed the habit of rejecting messages from unknown sources. To increase your email delivery rate, create a trustworthy sender reputation for your brand. Email verification will help you achieve that.
- It prevents blacklisting
When you are on a blacklist, you find it difficult to reach your customers with your emails. The server will always reject your message for as long you are still on the list. Regular spam complaints may earn you blacklisting. The attendant restriction will do more damage to your business than you can ever imagine. You can prevent this by ensuring that messages from your domain undergo the right verification process before you send them out.
DKIM helps Internet Service Providers see your brand as a genuine and trustworthy business. This helps you get your emails to land in the inboxes of your customers, meaning more open rates, better engagement and bigger conversions for you. Be sure to test your DKIM after its configuration to ensure that you configured it well.
Let’s Get In Touch
Are you ready to talk about this article, and allow us to answer any questions you may have regarding our products or services? MailMonitor would love to chat more with you about this topic, or anything else related to our industry.