Home/Blog/Cybersecurity/DKIM Configuration Complete Guide: Key Generation, DNS Setup, and Best Practices

Cybersecurity

DKIM Configuration Complete Guide: Key Generation, DNS Setup, and Best Practices

Q: Do I need DKIM if I already have SPF?

**Yes**, DKIM complements SPF and both are needed for proper email authentication. SPF verifies the sending server's IP, while DKIM verifies the message wasn't altered and cryptographically proves domain ownership. DMARC requires either (or both) to pass with alignment for full protection.

Master DKIM email authentication with comprehensive coverage of key generation, DNS record setup, selector management, key rotation, and troubleshooting for major email platforms.

By Inventive Software•January 9, 2025

DKIM Configuration Complete Guide

DKIM (DomainKeys Identified Mail) adds cryptographic signatures to your emails, allowing receivers to verify authenticity and detect tampering. This guide covers everything from key generation to production deployment.

How DKIM Works

DKIM Record Structure

Generating DKIM Keys

Using OpenSSL (Standard Method)

Output:

Format for DNS Record

Remove headers and line breaks to create the DNS value:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAszLfGbitgbShFNHJp4Em 7jPMCvyFMKFQtxCO/HaY5qUwSKm4LabCp6wP8SNX6ldPejuGbVE7YG+yuuOL4ffP O69RZRYftdE4bE6YNiQLTc9deGuuyI7S6BVEF7NbHIC30VVfENwY8pyoGk1lMgP d4sdZEet7yQHgAwWYT2lPehcg657viWkjtdyvuEc8X0eVDVZq2cDh2WK0tz+PHcU x7rx8iu1AG2JdJ779mjgu8tgTmE0dfuVbbI5jFZcXMCHfRgHQ/eP+0MX+18NC6KZ U1qwfJtjBxW3imudhCQv+97M2fLxcbtdvlBYyZdEXf053N1tkc6PstACpxlVvgF oQIDAQAB

DNS TXT Record Value:

Generating 4096-bit Keys (High Security)

Note: 4096-bit keys exceed DNS TXT record limits (255 chars per string). Most DNS providers handle splitting automatically, but verify your provider supports this.

Ed25519 Keys (Emerging Standard)

DNS Record for Ed25519:

Platform-Specific Configuration

Google Workspace

Admin Console Setup:

Go to Admin Console → Apps → Google Workspace → Gmail
Click Authenticate email
Select your domain
Click Generate new record
Select 2048-bit key length
Note the selector (e.g., )
Copy the TXT record value

DNS Record:

Wait 24-48 hours for propagation
Return to Admin Console and click Start authentication

Microsoft 365

Exchange Admin Center Setup:

Go to Exchange Admin Center → Mail flow → Rules
Or use PowerShell:

DNS Records (CNAME):

Postfix (Linux Mail Server)

Install OpenDKIM:

Generate Keys:

Configure OpenDKIM (/etc/opendkim.conf):

Configure Key Table (/etc/opendkim/KeyTable):

Configure Signing Table (/etc/opendkim/SigningTable):

Configure Postfix (/etc/postfix/main.cf):

Start Services:

Amazon SES

Enable DKIM (AWS Console):

Go to SES Console → Verified Identities
Select your domain
Go to Authentication tab → DKIM
Click Generate DKIM tokens
Add the provided CNAME records to DNS

DNS Records (CNAME):

Using AWS CLI:

SendGrid

Enable DKIM (Dashboard):

Go to Settings → Sender Authentication
Click Authenticate Your Domain
Select DNS host and enter domain
Add the provided DNS records

DNS Records:

DKIM Signature Header Explained

Canonicalization Explained

Key Rotation

Rotation Process

Rotation Script

Add this DNS record:

After DNS propagates, update these files: KeyTable: mail2026._domainkey.example.com example.com:mail2026:/etc/opendkim/keys/example.com/mail2026.private Then restart: systemctl restart opendkim

Testing and Verification

Verify DNS Record

"v=DKIM1; p=" Server: 192.168.1.1 Address: 192.168.1.1#53

Non-authoritative answer: mail._domainkey.example.com text = "v=DKIM1; p="

Authoritative answers can be found from:

mail._domainkey.example.com descriptive text "v=DKIM1; p="

Test with Email

Send a test email to a major provider (Gmail, Outlook) and check headers:

Online Testing Tools

mail-tester.com - Send email, get detailed report
dkimvalidator.com - Check DNS record format
mxtoolbox.com/dkim.aspx - DNS lookup and validation

Command-Line Testing

Troubleshooting

Common Errors

Error	Cause	Solution
	DNS record missing or not propagated	Check DNS, wait for propagation
	Key mismatch or message modified	Verify key pair match, check intermediaries
	Body modified in transit	Use relaxed canonicalization
	DNS timeout	Check DNS server availability
	Malformed DNS record	Fix syntax errors in TXT record

Debug Checklist

Best Practices

Security Recommendations

Use 2048-bit RSA keys minimum - 1024-bit is deprecated
Rotate keys annually - More frequently for high-security
Protect private keys - Restrict file permissions, consider HSM
Use relaxed canonicalization - Better survivability
Sign important headers - from, to, subject, date, message-id
Monitor DMARC reports - Detect misconfigurations early

Selector Naming Conventions

Convention	Example	Use Case
Service-based	,	Third-party email services
Date-based	,	Key rotation tracking
Sequential	, ,	Simple rotation
Environment	,	Multiple environments

Multiple Sender Configuration

Email Authentication Complete Guide - Hub article
SPF Record Syntax Guide - Complete SPF reference
DMARC Deployment Guide - Tie SPF + DKIM together
Email Header Analysis - Interpret results

Tools

DKIM Record Generator - Create DKIM keys and DNS records
DNS Lookup - Verify your DKIM DNS record
DMARC Record Generator - Complete your email authentication

Frequently Asked Questions

Find answers to common questions

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email was sent by an authorized sender and hasn't been modified in transit. The sending server signs emails with a private key, and the receiving server verifies the signature using the public key published in DNS.

Use 2048-bit RSA keys for DKIM. While 1024-bit keys are still supported, they're considered weak. Some organizations use 4096-bit keys for extra security, but be aware of DNS TXT record length limits (255 characters per string, though records can be split). Ed25519 keys are an emerging alternative with smaller key sizes.

Generate a DKIM key pair using OpenSSL: 'openssl genrsa -out private.key 2048' for the private key, then 'openssl rsa -in private.key -pubout -out public.key' for the public key. Extract the key content (without headers) and format it as a single line for the DNS TXT record.

A DKIM selector is a string that identifies which public key to use for verification. It's part of the DNS lookup (selector._domainkey.domain.com). Selectors allow multiple DKIM keys for different services (e.g., 'google' for Google Workspace, 's1' for your mail server) and enable key rotation without downtime.

Rotate DKIM keys annually at minimum, or quarterly for high-security environments. The process involves: generating a new key pair with a new selector, publishing the new public key in DNS, updating the mail server to sign with the new key, keeping the old public key in DNS for 30 days (for emails in transit), then removing the old record.

Common causes of DKIM verification failures include: DNS record not properly formatted or propagated, private key mismatch with published public key, message modification by intermediary servers (forwarding, mailing lists), incorrect header canonicalization, or the signing domain doesn't match the From domain. Check Authentication-Results headers for specific failure reasons.

While technically possible using a shared selector, it's not recommended. Each domain should have its own DKIM key pair for security isolation. If one key is compromised, only that domain is affected. Most email services generate domain-specific keys automatically.

Canonicalization determines how headers and body are normalized before signing. Relaxed (recommended) is forgiving: it ignores extra whitespace and header case, surviving minor modifications in transit. Strict requires exact match, failing if anything changes. Use 'relaxed/relaxed' (header/body) for better deliverability.

In Google Admin Console: go to Apps > Google Workspace > Gmail > Authenticate email, select your domain, click 'Generate new record', choose 2048-bit key length, copy the provided TXT record value, add it to your DNS as selector._domainkey.yourdomain.com, wait for propagation, then click 'Start authentication'.

Yes, DKIM complements SPF and both are needed for proper email authentication. SPF verifies the sending server's IP, while DKIM verifies the message wasn't altered and cryptographically proves domain ownership. DMARC requires either (or both) to pass with alignment for full protection.

Don't wait for a breach to act

Get a free security assessment. Our experts will identify your vulnerabilities and create a protection plan tailored to your business.

Get Free Security Assessment See Our Security Services

🔍

DNS Lookup

Query DNS records with email security analysis and health scoring

NetworkTry it →

📧

DMARC Record Generator

Generate DMARC records with step-by-step wizard, preset templates, and deployment roadmap

SecurityTry it →

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Master the formal security models that underpin all access control systems. This comprehensive guide covers Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, lattice-based access control, and how to choose the right model for your organization.

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Database Inference & Aggregation Attacks: The Complete Defense Guide

Learn how inference and aggregation attacks exploit aggregate queries and combined data to reveal protected information, and discover proven countermeasures including differential privacy, polyinstantiation, and query restriction controls.

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

Master NIST SP 800-88 Rev. 1 media sanitization methods including Clear, Purge, and Destroy. Covers SSD vs HDD sanitization, crypto erase, degaussing, regulatory compliance, and building a media sanitization program.

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.