Skip to main content

DKIM

Domain Keys Identified Mail (DKIM), is a message-based signature that uses cryptography to sign email and verify that your email was not altered in transit. Email signed with DKIM confirms your legitimacy and trustworthiness as a sender, which helps deliver your messages to a recipient’s inbox rather than to their junk or spam folders. Over time, DKIM can have a positive impact on your domain reputation, improving your email deliverability.

A DKIM record is a specially formatted DNS TXT record that stores the public key to be used by receiving email servers when verifying a message’s signature. A DKIM record might look something like this:

v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBzXkunA
132Pf3SwHF7UKTODjFW8JKXUFWCHcNLvRHPCFDzJDPuAuoZq0XAIoOStu+Qq+/
ggm1zDYbgsaIkOmkBWV9m/NPQ3BbXNEnCqjsyVxWlrQs0R01W4ihsHM8BkbE7
dGRot1DdDM1HBMxrMDEOPuEZaNjtpgcJVRqswz7YwIDAQAB

Where:

  • v=DKIM1 indicates the DKIM version
  • p indicates the the type of key (in this case, public)
  • the very long string that starts with MIGfMA0GC is the public key

The DKIM protocol has two steps which utilize a public/private key pair.

  1. As your email traverses the outgoing gateway, a DKIM signature is added to the headers of the email. The signature is generated by encoding a hash of the message body and headers (not the envelope) using the private key. The resulting value is added as a message header.
  2. Recipient servers use the public key published in the selector record to check the DKIM signature on incoming messages. Once the signature is verified with the public key by the recipient, the message passes DKIM and is considered authentic - meaning the source of the message has been verified, and the body wasn’t changed in transit.

DKIM Requirements

All domains which send email are required to have DKIM signing configured for outbound messages.

info

DKIM signing is already configured for email originating in TAMU Gmail, Microsoft 365 Exchange, and applications configured to send email through smtp-relay.tamu.edu.

All outgoing email, including email sent from third parties like cloud-hosted applications and marketing platforms, should be DKIM signed to ensure deliverability.

See KB0021277 for more information on sending mail using third party mailers.

warning

Messages relayed to external systems via the gateway.tamu.edu delivery setting do not include a DKIM signature.

These messages will not deliver to Gmail and Yahoo recipients starting in February 2024.

Check a DKIM Record

The easiest way to view a DKIM record is to use the command line:

  1. Open a console or command line on your computer.
  2. Type nslookup -q=txt <selector>._domainkey.<subdomain> where <selector> is the DKIM selector and <subdomain> is the subdomain name.
info

At Texas A&M, the <selector> is usually generated by concatenating pp to the last six letters of the md5 hash of the domain name. For example, the domain itsec.tamu.edu would have a selector of pp8c7326.

  1. Press "Enter" to execute the command.
  2. The output will display the DKIM record for the domain, including the public key and other information.
echo -n 'itsec.tamu.edu' | md5sum
143825e21a964eeb4309c2cebc8c7326  -

nslookup -q=txt pp8c7326._domainkey.itsec.tamu.edu
;; Truncated, retrying in TCP mode.
Server:         128.194.254.1
Address:        128.194.254.1#53

pp8c7326._domainkey.itsec.tamu.edu      text = "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MYooD9FUigquzWIyVZlnsDAV5Ma" "72SuKngNyMXssCzk4ecJSozKVBh589KyYNvyKJQ6SVCytbnlLle0YCGnmvMLr9Z513pf80HfXA0GBqPbmBAvoI+hr3LjCSgmo3jhzb69Bt45YjXNnMNGcP6sL2Ybxt2F" "QLkqVBlj8TRd0iskSAXLiKn3dwzjt4eeYzBs/Iz+9omL4sbGzR07hIx9HIq0NI2Q7WZi0HuDDyYtbNFKlMjlBjfpkKrnQxUkUW6Fq5l9zf1yBrSpTXfvHT/8AGzYO3U/" "wK1hUIB7d9I6+s0pK1At9zSFBAdXw/2Ze79wDBTBZ6bdGr8Hs4aWzyiFIQIDAQAB"