Email deliverability is only one of the prerequisites of a good email marketing campaign. The other condition that underlies a successful marketing campaign is trust.
Trust is something that is in short supply these days, especially with the prevalence of spammers and phishing attacks. To the average email user, emails containing disruptive spam messages and malware can come from anywhere — including senders claiming to be one of your domain owners. This does little to calm the skepticism and suspicion of people and email servers.
Sender policy framework (SPF) is in place to add a layer of security for email senders. SPF does this by linking an IP address to a domain. This ensures that every email message is from your domain. However, at times, an SPF record alone might not suffice.
This is where having a DKIM record comes in handy. With a DKIM record, your organization’s emails can have an extra layer of legitimacy with DKIM signatures. A DKIM signature allows your emails to get through mail servers and to your customers intact and untampered
Once the email is sent, it goes to the recipient’s main inbox and not the spam folder. What this results in is the high likelihood of the email message being opened. Needless to say, the authentication of DKIM adds more points to your sending reputation.
Read on to learn more about DKIM records, why you need them alongside other email security protocols like SPF, and how to set them up.
What Is DKIM?
DKIM stands for DomainKeys identified mail. It is one of three email authentication methods, alongside Domain-Based Message Authentication, Reporting, and Conformance (DMARC) and SPF. DKIM allows email recipients to verify the origin of an email.
DKIM assigns a unique message header to every email sent by an organization. This header is the DKIM signature and provides proof that the email has received authorization to be sent.
DomainKeys identified mail or DKIM needs to be published onto DNS records. This means that an email sent from a DomainKeys identified mail message remains the same during transit. Also, the DKIM message headers tell the recipient that you have authorized the email message to be sent on behalf of your domain.
How Does DKIM Work?
The best way to picture the function of DKIM is as a signature. Interestingly, DKIM works because of DKIM signatures. A DKIM signature is a digital signature at the header of email messages. As an email is sent from an outbound mail server, the domain’s DNS records containing the DKIM signature become part of the message.
The DKIM Record and the Role of a Private Key
The DKIM record is an encrypted TXT record. Domain owners format the DKIM record in their organization’s DNS records. It allows every email sent from a particular domain to have a private key.
As domain owners format the record, they ensure that the private key can match with a public DKIM key on an email server. The public DKIM key is for cryptographic authentication.
Public key cryptography verifies the authenticity of the DKIM signature. The unique signature allows an email message to remain unaltered throughout the DKIM verification process.
Embedding of the DKIM Signature Header
With the DKIM signature “embedded” on an email message, the receiving mail server will screen the message to do one of two things — send it to spam folders or inboxes.
If email servers see a mismatch between the email message’s DKIM signature and the signing domain, the email is likely from a forged sender address. Email messages from forged sender addresses either lack DKIM signatures or have different ones from the domains they claim to be from.
On the other hand, a DKIM signature is proof that the domain owner authorized the sending of the message. To a receiving mail server, this is a sign of emails from legitimate IP addresses linked to a particular domain.
The Header Proves Email Authorization and Authenticity
In a way, it serves a similar function to an SPF record. However, it also appears as an encrypted header. As an encrypted digital signature, it remains intact. In other words, its presence indicates that no part of the email was tampered with during the sending process.
Passing DKIM checks, the email reaches the recipient with no alterations in content. Also, because the DKIM signatures are signs of a legitimate signing domain, the receiver will open the message without fear.
This is exactly what you want in your email marketing. Other than maximizing the chances of an opened email, other reasons make a DKIM signature crucial to your organization.
Why Having a DKIM Signature Is Important
As mentioned in the earlier section, a DKIM signature is unique to the signing domains of domain owners. This digital signature timestamp is proof of a message’s credibility. A signed message containing a DKIM signature header gives an email message its authenticity — both in terms of the email sender and its contents.
Authenticity through your DKIM signature is crucial in the following ways:
A DKIM Signature Prevents Email Spoofing
Every DKIM signature is unique to the sender’s sending domain. This digital signature proves the origin of the email. It is an encrypted signature that shows that the email did not come from an email sender pretending to be associated with your organization.
Hence, even if a scammer were to use a valid email address, mail servers that have DKIM verification turned on will detect this. As a result, the incoming messages from scammers do not reach the inboxes of mail recipients.
The DKIM Signature’s Anti-Email Spoofing Capabilities Promotes Inbox Safety
Inboxes need protection from more than spam mail. Phishing attacks can lodge harmful malware into the recipient’s computer. This can occur as soon as the recipient clicks on the email.
Phishing not only comes in the form of harmful malware transmission. Sometimes, more sophisticated scammers can have keylogging software embedded in the email. Once the recipient opens the email, the software can transmit login details that the recipient types. This can give the scammer or hacker sensitive information like account login details.
DKIM signatures protect recipients because of their uniqueness to an organization’s domain. Like an SPF, the DKIM signature makes it so that no email from an impostor domain owner makes it to the recipient.
Protection with DKIM Signatures Adds to Your Organization’s Sender Reputation
People these days are aware of the dangers associated with spam and phishing. For this reason, people are now more mindful of the origins of their email.
A valid email address no longer suffices. To earn the trust of email receivers before they open your message, you need DKIM authentication made possible with a DKIM signature. The DKIM signature creates the DKIM header that the recipient can check.
Because the DKIM header states your domain as the sole sender, the recipient will trust that your email is safe. With your DKIM signature as the actual digital signature of your email, no spammer will be able to spoof your domain name.
Since none of the contents of the mail is altered, two things will occur. First, the email goes to your recipient’s inbox. Second, the reputation of your domain will remain intact because spoofing it is nearly impossible with a DKIM verification.
Improved Email Deliverability
Ultimately, this is why email security protocols and tools like DKIM and SPF are set. These protocols allow your domain name to be trusted. DKIM also preserves the contents of your mail as well as its domain origin during the sending process.
For these reasons, the mail gets to whoever you are sending it to. Moreover, the added trust factor maximizes the chances of the recipient opening the email.
How Are DKIM and SPF Different?
By now, you might be seeing some common ground between DomainKeys identified internet mail (DKIM) and sender policy framework (SPF). Indeed, both are in place to ensure email security for all parties involved.
However, they are different. Don’t confuse them as the same thing. By knowing how they are different and what specific role they play in the email verification process, you may find that adding DKIM on top of SPF is beneficial.
Here are some of the differences:
SPF Is Mainly for Authorizing Sending on Behalf of the Sending Domain
SPF allows various IP addresses to send messages. It does this by ensuring that an IP address is part of the SPF records. An IP address that is not part of the SPF records will not be able to use the domain name in the “envelope from” field.
SPF records contain information that links IP addresses to an organization’s domain. Only IP addresses associated with the sending domain can send emails bearing the domain at the “from” header.
DKIM Proves Sending Authorization
If SPF allows an IP address to send an email on behalf of a domain, DKIM proves that the sending was authorized. An organization using DKIM can embed a digital signature in emails that cannot be altered at any point in the sending process.
The signature is unique and indicates that the email came from a domain that allowed the message to be sent.
SPF Can “Disintegrate” During the Sending Process
SPF’s main function is to prevent the sending of emails that “spoof” the domain name. In other words, with SPF, any email sent from an IP address not part of the SPF record will alert a mail server to its inauthenticity. As a result, the email is either not received or is received in the spam folder.
This is what makes SPF such a valuable email security protocol. However, it has its limitations.
SPF prevents spammers from spoofing or copying the name of the domain. This can deter spammers from using an organization’s domain name to deceive email recipients. While the domain name remains protected, the same cannot be said of an email’s contents.
Sophisticated hackers and spammers can alter the contents of an email. In addition, SPF can break down during email forwarding. Because SPF only ensures the protection of the domain name, the contents are left susceptible. This means that someone can still receive the email but with alterations in the content.
DKIM Remains Intact Throughout the Email Sending Process
As mentioned, SPF offers little to no protection to an email message’s contents. This is where DKIM comes in. A DKIM signature is an encrypted digital signature. The DKIM signature is embedded into an entire email — from the header to the contents.
Because of the encryption and the sending of a public key for verification, DKIM signatures are not susceptible to tampering. Once an email with a signature reaches a receiving mail server, it indicates that the message is in the same state as how it was upon sending.
In short, the presence of the signature allows the receiving mail server to confirm the originality and integrity of the email.
Will Having DKIM Without Other Email Security Protocols Suffice?
DKIM has a comprehensive scale of protection and does fulfill some of the roles SPF has. This causes some email marketers to think that having DKIM alone will suffice. Others believe that only SPF is enough. Both lines of reasoning are incorrect.
DKIM works. However, it is always better to have it in place alongside other protocols like SPF or DMARC.
One is not better than the other. Indeed, both SPF and DKIM serve to lend emails to verification. As mentioned earlier, both serve this function on two separate fronts.
By having SPF in place, you will be able to protect your domain name from being used by email senders you do not know. This can be an unauthorized third-party email service provider as well as an individual intent on destroying your online reputation.
When you have DKIM, you can add an extra layer of protection to your domain name as well as the contents of your email. For someone to tamper with any part of the email, they would need the DKIM key — something nobody else has access to except you or your DNS manager.
In short, SPF protects your domain name from unauthorized usage. On the other hand, DKIM does this as well as ensures the intactness of your email from sending to receiving.
Both do have their merits in isolation. Have both, and you will be taking your email security and deliverability further.
How Do You Set Up DKIM?
If you want to set up DKIM, be aware that there may be differences in the DKIM setup process. In particular, these differences occur among email service providers. Hence, you need to ask your service provider for assistance to set up DKIM.
In general, you will need to follow three steps when you set up DKIM.
Step 1: Generate Your DKIM Keys
Generating DKIM keys can be done by asking for the assistance of DNS providers. The other way to get DKIM keys is with a DKIM key generator. You can find these after running a quick Google search.
Once you have found a DKIM key generator, you will be asked to type in the domain name for which you want the key. Take note that the domain you enter should be the one on the “from” header of your email.
You might also need to include your DomainKeys selector. Think of this as a label for your DKIM keys. Some DKIM key generators generate DKIM keys automatically as soon as you enter your domain.
Part of the DKIM key generation process is selecting the appropriate character length. Often, there are two — 1024 and 2048. The character length is the number of characters your DKIM key will have. The longer the key, the more challenges hackers will have to face to hack your email.
Some DNS providers will support a maximum of 1024 characters. Others allow twice that number. Hence, check with your DNS provider.
After filling up all the necessary fields, you will be redirected to a page containing your DKIM key. This key is the public key. This is what you need to copy onto your DNS records.
Step 2: Create a DNS Record Entry
The DNS record entry is a TXT record. You can create one using a text processor like Notepad.
On your text processor, create the title “DNS Text Record Entry.” From there, add the following labels:
- Name:
- Value:
- Selector:
On the name, place your DKIM selector. Once again, this is the label for your key from step 1. Follow this up with “._domainkey..”
For instance, if you have selected “key00001” as your DKIM selector, and your domain is “flip.com”, then your entry for name will look like this:
key00001._domainkey.flip.com.
After you have filled out your name, move on to “value.” Here, you need to type “VDKIM1 ; p = ”
When you copy your public key, be sure to omit the part that says “public key.” Copy only the characters that come before the “public key” heading and before the “end of public key” heading.
As for the “selector” field label you have created, just place your key selector.
Save the file because you will need it for the next steps.
Step 3: Copy Your Public Key to Your DNS Server
Visit your DNS dashboard. Regardless of your DNS provider, the dashboard will offer options for the type of resources you want to add to your DNS records. Choose the “TXT” option since your key is in this format.
From here, you will be asked to include the name you have for the public key. Copy the name you created in Step 2. When you see a “value” field, copy what you typed in the “value” label of your TXT file.
After performing these steps, submit your entries. You will then be redirected to a page containing your DNS records. You will see your DNS entry among other assets in your DNS records.
Step 4: Enter Your Private Key onto Your Email Server
You can find the private key on the same page you generated your public key. Once you have located your private key, copy and paste it to create a TXT file. Save the file since you will need it for the next step.
From here, go to your email server. In your email server, you will find one of your custom domains. Click the domain for which you want to set up DKIM. In this case, if your domain is “flip.com”, click this.
You will be redirected to a window with several tabs. One of them is a tab labeled “DKIM signing.”
To add your private DKIM key, you need to select the tab that says “DKIM signing.”
When you click the DKIM signing tab, you will see a field asking you for the private key. This is where the TXT file with the private key goes. Enter the filename of the TXT file. Do not copy and paste the private key itself.
Also in the DKIM signing window is a field for your selector. Add the key selector you created in Step 1.
Step 5: Send an Email from Your Domain
To test your new DKIM setup, all you need to do is to send a real email from your domain. You can send the email to yourself or any other computer. Whichever email address you send it to, it is important to check if the DKIM passed.
When you receive the email, there will be a drop-down menu on the right. Click on it to see if your email passed the DKIM test.
Step 6: See the Result of the DKIM Test
Click on the drop-down menu. Once you do this, you will see three things:
- The email’s subject header
- The SPF
- The DKIM result
You want to check the DKIM authentication result. If you see “passed,” then you have successfully set up DKIM for your domain. You can now begin implementing DKIM for your emails henceforth.
Key Takeaway
DKIM, alongside other email security protocols, can do a lot more than ensuring that your email gets to where it needs to be. By promoting the inbox safety of your clients, DKIM promotes your domain reputation in a way that SPF alone cannot.
Indeed, the implementation of DKIM and other email protection protocols carries a steep learning curve. Luckily, we’re here to simplify all things email marketing-related.
Get in touch with us now at MailMonitor, and let us take the guesswork out of your email marketing.
