A DKIM (DomainKeys Identified Mail) DNS record is a component of the DKIM email authentication system used to verify the authenticity and integrity of email messages. DKIM allows the receiving mail server to verify that an email message originated from the claimed domain and that its content has not been modified during transit.
Here are the key points to understand about DKIM DNS records:
Signing Domain: The DKIM DNS record is associated with a specific domain, known as the "signing domain." This is typically the domain of the sender's email address or the domain responsible for sending the email.
Selector: The DKIM record is further identified by a "selector" value, which is a label used to distinguish between different DKIM keys associated with the signing domain. The selector is usually specified by the sender and is part of the DKIM signature added to the email message.
Public Key: The DKIM DNS record contains the public key used to verify the DKIM signatures applied to outgoing email messages. This public key is generated by the signing domain and corresponds to the private key used to create the signatures.
DNS TXT Record: The DKIM DNS record is stored as a TXT (text) record in the DNS zone of the signing domain. The TXT record contains the public key and other relevant information required for DKIM verification.
Selector Prefix: The selector value is typically prefixed with "selector._domainkey" when constructing the DKIM DNS record. For example, if the selector is "default," the DKIM DNS record would be "_domainkey.default.domain.com
Record Format: The DKIM DNS record consists of a series of key-value pairs enclosed within double quotation marks. These key-value pairs include the "v" (version), "k" (key type), and "p" (public key) fields.
DNS Record Lookup: When an email is received, the recipient's mail server retrieves the DKIM DNS record associated with the signing domain and selector. It uses this record to obtain the public key necessary to verify the DKIM signature applied to the email message.
By implementing DKIM DNS records, email senders can enhance the credibility and deliverability of their messages. DKIM helps prevent email spoofing, tampering, and impersonation by providing a cryptographic mechanism to validate the authenticity and integrity of the sender's domain. Email recipients can check the DKIM signature and DKIM DNS record to verify the legitimacy of incoming emails and make informed decisions about their handling and delivery.
EXAMPLE
default._domainkey.example.com
The signing domain is "example.com".
The selector is "default".
The DKIM DNS record is stored as a TXT record for the subdomain "_domainkey.example.com".
The record contains the public key ("p") used for DKIM signature verification.
The public key value is truncated ("...") for brevity.
Note that the public key value is typically much longer and consists of a complete RSA or ECC key. The "v" field specifies the DKIM version, and the "k" field specifies the key type (in this case, "rsa"). The "p" field contains the actual public key value.
Remember, when setting up DKIM for your own domain, you'll need to generate the appropriate public-private key pair and publish the corresponding DKIM DNS record in your DNS zone. The specific steps may vary depending on your DNS provider and email server setup.