This article explains what a DKIM DNS record is, how the DKIM record name is formed, and what information is usually included in the record value.
Overview
DKIM stands for DomainKeys Identified Mail. DKIM is an email authentication method that allows a receiving mail server to check whether an email message was signed by the domain that sent it and whether the message was changed after it was signed.
A DKIM DNS record publishes the public key that receiving mail servers use to verify a DKIM signature.
What This Means
DKIM uses a key pair.
The sending mail system uses a private key to sign outgoing email.
The matching public key is published in DNS as a TXT record.
When a receiving mail server checks the message, it reads the DKIM signature in the email header.
The DKIM signature identifies the signing domain and selector.
The receiving mail server uses those values to look up the matching DKIM TXT record in DNS.
DKIM Record Name Format
A DKIM DNS record is published below the _domainkey label of the signing domain.
The record name uses this format:
selector._domainkey.signing-domain
Example:
default._domainkey.example.com
defaultis the selector._domainkeyis the DKIM namespace label.example.comis the signing domain.
DKIM Record Value Format
A DKIM record is stored as a TXT record.
The TXT value contains key-value pairs that describe the DKIM key and publish the public key.
Common DKIM TXT fields include:
v=DKIM1identifies the record as a DKIM record.k=rsaidentifies the key type when RSA is used.p=contains the public key value.
Example
The following example shows a DKIM TXT record for the selector default and the signing domain example.com.
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
In this example:
- The signing domain is
example.com. - The selector is
default. - The DKIM DNS record is published at
default._domainkey.example.com. - The
pvalue contains the public key used for DKIM signature verification.
What You Need to Configure DKIM
The DKIM record details are usually provided by the email service, mail server, or application that sends email for your domain.
Before creating the DKIM TXT record, collect the following details from your email provider or mail administrator:
- The signing domain.
- The selector.
- The full DKIM TXT record value.
- The required hostname or record name where the TXT record must be created.
Important Notes
- A DKIM record is usually created as a TXT record.
- The selector is part of the DKIM DNS record name.
- The public key value is often long and must be copied exactly as provided.
- An incomplete or incorrectly copied DKIM public key can cause DKIM verification to fail.
- UltraDNS stores the TXT record value that is configured in the DNS zone. The email signing system controls the private key and the DKIM signature added to outbound messages.
Expected Outcome
After the DKIM TXT record is created and available in DNS, receiving mail servers can retrieve the public key and use it to verify DKIM signatures for messages signed by the corresponding selector and signing domain.