What is a custom DKIM signature and what are the benefits and best practices for using it?

Summary

DKIM (DomainKeys Identified Mail) is an email authentication mechanism that adds a digital signature to email headers. This signature, verified against a public key in the DNS record, confirms the sender's identity and ensures the message's integrity. DKIM prevents spoofing and phishing, improves deliverability by building trust with mailbox providers, and enhances sender reputation. Key practices include using 2048-bit keys, regular rotation, monitoring DKIM reports, integrating with DMARC/SPF, and signing different mail streams with unique signatures to categorise emails.

Key findings

  • Purpose: DKIM validates email source and integrity using digital signatures.
  • Mechanism: It uses asymmetric cryptography with public keys in DNS records.
  • Benefits: It prevents spoofing, improves deliverability and enhances sender reputation.
  • DMARC: DKIM is a crucial component of DMARC.
  • Mail Streams: Different mail streams (corporate, marketing, etc.) can use custom DKIM signatures.

Key considerations

  • Key Length: Use 2048-bit or greater keys for strong security.
  • Key Rotation: Regularly rotate DKIM keys to mitigate compromise risks.
  • Monitoring: Monitor DKIM reports to detect authentication issues.
  • Testing: Test DKIM setup with online checkers.
  • Implementation: Configure email servers to sign outgoing messages.

What email marketers say
15Marketer opinions

A custom DKIM signature is a digital signature added to email headers that authenticates the sender and ensures the message's integrity. DKIM helps prevent email spoofing and phishing, improves deliverability by building trust with mailbox providers, and enhances sender reputation. Best practices include using a key length of 2048 bits, regularly rotating keys, monitoring DKIM reports, and implementing DKIM as part of a broader email authentication strategy with SPF and DMARC. Custom DKIM signatures can be used to categorize mail streams for different parts of the business improving deliverability further.

Key opinions

  • Definition: DKIM is an email authentication mechanism that uses a digital signature to verify the sender's identity and ensure message integrity.
  • Deliverability: DKIM improves email deliverability by helping mailbox providers differentiate legitimate senders from spammers.
  • Spoofing Protection: DKIM protects against email spoofing and phishing attacks by making it harder for malicious actors to impersonate legitimate senders.
  • DMARC Integration: DKIM is a crucial component of DMARC, providing a strong defense against email-based attacks when implemented together.
  • Brand Reputation: Properly implemented DKIM enhances brand reputation by ensuring emails are authenticated and domains are protected from spoofing.

Key considerations

  • Key Length: Use a DKIM key length of at least 2048 bits for optimal security.
  • Key Rotation: Regularly rotate DKIM keys to minimize the impact of potential key compromise.
  • Monitoring: Monitor DKIM reports to identify and address any authentication issues.
  • Setup Process: Setting up DKIM involves generating a key pair, adding the public key to DNS, and configuring the email server to sign outgoing messages.
  • Mail Stream Categorisation: Consider custom DKIM signatures to categorize mail streams by separating emails for different parts of the business for enhanced deliverability.
Marketer view

Email marketer from SparkPost shares that DKIM is important for improving email deliverability. When you DKIM sign your emails, you are telling mailbox providers that you are a legitimate sender and that your emails should be delivered to the inbox, not the spam folder. This builds trust between the sender and the receiver.

November 2023 - SparkPost
Marketer view

Marketer from Email Geeks explains that different types of messages within your mail streams (e.g. corporate, marketing email, service desk) should have their own different custom DKIM signatures. If the autoresponder emails are not marketing related, then they should have a different signature. The objective is to help receivers understand the different types of email you are sending out.

December 2022 - Email Geeks
Marketer view

Email marketer from Mailjet shares that DKIM is an email authentication method designed to detect email spoofing. It allows the receiving mail server to verify that an email claimed to have originated from a specific domain was indeed authorized by the owner of that domain. By using a digital signature, DKIM ensures that the message was not altered during transit.

December 2023 - Mailjet
Marketer view

Marketer from Email Geeks shares that it helps receivers differentiate your email stream from others, which can help with deliverability.

May 2024 - Email Geeks
Marketer view

Marketer from Email Geeks explains that a custom DKIM signature means that the domain is using DKIM signing.

June 2024 - Email Geeks
Marketer view

Email marketer from GlockApps explains that monitoring DKIM is essential for detecting and resolving any authentication issues. Regular monitoring helps to ensure that emails are properly authenticated and that the sender's reputation is protected. Tools like GlockApps provide DKIM monitoring and reporting capabilities.

November 2021 - GlockApps
Marketer view

Email marketer from SendGrid recommends using a DKIM key size of 2048 bits for optimal security. Shorter key lengths may be vulnerable to attacks, while longer key lengths provide better protection against spoofing and tampering. Regularly rotating your DKIM keys is also a good security practice.

July 2023 - SendGrid
Marketer view

Marketer from Email Geeks responds that if you have a very large email marketing programme with multiple distinct brands and domains then multiple (per-domain) DKIM signatures may be useful, otherwise, if you are just using your ESP to send from one domain then one custom DKIM signature is fine.

May 2023 - Email Geeks
Marketer view

Email marketer from StackExchange user u/email_admin explains that to set up DKIM, you need to generate a public/private key pair, add the public key to your DNS record, and configure your email server to sign outgoing messages with the private key. Test your DKIM setup using online DKIM checkers to ensure that it is working correctly.

October 2024 - StackExchange
Marketer view

Email marketer from AuthSMTP explains that best practices for DKIM include using a key length of at least 2048 bits for stronger security, regularly rotating DKIM keys to minimize the impact of potential key compromise, and monitoring DKIM reports to identify and address any authentication issues.

December 2022 - AuthSMTP
Marketer view

Email marketer from EasyDMARC shares that implementing DKIM offers several benefits, including improved email deliverability, enhanced sender reputation, and protection against phishing attacks. DKIM ensures that your emails are authenticated, making it harder for attackers to spoof your domain and send malicious emails.

July 2022 - EasyDMARC
Marketer view

Email marketer from MXToolbox shares that validating DKIM involves verifying the DKIM signature in the email header against the public key published in the DNS record. Tools like MXToolbox can be used to check if a DKIM signature is valid and if the email has been tampered with during transit.

October 2022 - MXToolbox
Marketer view

Marketer from Email Geeks explains that DKIM is an email authentication mechanism that allows a sender to apply a digital signature to an email and associate that signature with a domain name. It uses asymmetric cryptography where the public key is stored in the DNS and the private key is kept with the sender. Ideally you want to DKIM sign all of your outbound emails.

January 2023 - Email Geeks
Marketer view

Email marketer from Reddit user u/email_expert shares that DKIM is a crucial component of DMARC (Domain-based Message Authentication, Reporting & Conformance). Implementing both DKIM and DMARC provides a strong defense against email spoofing and phishing attacks, ensuring that only legitimate emails are delivered to your recipients.

June 2024 - Reddit
Marketer view

Email marketer from Postmark shares that DKIM helps to improve brand reputation by ensuring that your emails are properly authenticated and that your domain is protected from spoofing. A strong brand reputation leads to better email deliverability and improved customer engagement.

October 2021 - Postmark

What the experts say
2Expert opinions

DKIM (DomainKeys Identified Mail) is a method for validating the source and integrity of email messages. It uses cryptographic signatures to verify that an email originated from the claimed domain and has not been altered during transit. This process involves adding a digital signature to the email header, which receiving servers can validate against the sender's public key in the DNS record. Implementing DKIM helps to prevent email spoofing and phishing attacks, improving deliverability and building trust with recipients.

Key opinions

  • Validation of Source: DKIM provides a method for validating the source of email messages.
  • Integrity Verification: It verifies that an email has not been altered during transit.
  • Prevention of Spoofing: DKIM helps prevent email spoofing and phishing attacks.
  • DNS Validation: The digital signature is validated against the sender's public key published in the DNS record.

Key considerations

Expert view

Expert from Spamresource answers that the purpose of DKIM is to provide a way for receiving email servers to verify that an email message was indeed sent from the domain it claims to be from and that the message has not been altered in transit. This is done by adding a digital signature to the email header, which the recipient's server can then validate against the sender's public key published in the DNS record.

April 2024 - Spamresource
Expert view

Expert from Word to the Wise explains that DomainKeys Identified Mail (DKIM) provides a method for validating the source and integrity of email messages. It uses cryptographic signatures to verify that an email has not been altered during transit and that it originated from the claimed domain. Implementing DKIM helps to prevent email spoofing and phishing attacks, improving deliverability and building trust with recipients.

February 2022 - Word to the Wise

What the documentation says
4Technical articles

DKIM (DomainKeys Identified Mail) is a mechanism that allows email senders to digitally sign their messages, attaching a cryptographic signature to the email header. Receiving servers can then verify this signature against the sender's public key published in the DNS record, confirming that the message truly came from the claimed sender, was not altered during transit, and that the domain takes responsibility for the message. This process provides an authentication framework for email, increasing trust and preventing spoofing.

Key findings

  • Digital Signatures: DKIM involves attaching a digital signature to outgoing email messages.
  • Verification Process: Receiving servers verify the signature using the sender's public key from the DNS record.
  • Message Integrity: DKIM confirms that messages were not altered during transit.
  • Sender Authentication: DKIM confirms that messages truly came from the claimed sender.
  • Spoofing Prevention: DKIM helps prevent email spoofing by ensuring the message's authenticity.

Key considerations

Technical article

Documentation from Microsoft explains that DKIM works by adding a digital signature to the header of an email message. This signature is encrypted with the sender's private key and can be verified by the recipient's mail server using the sender's public key, which is published in the DNS record. If the signature matches, the email is authenticated.

November 2024 - Microsoft
Technical article

Documentation from Google explains that DKIM signing lets you attach a digital signature to your outgoing messages. Receiving servers can then use DKIM to verify that messages weren't altered during transit and truly came from your domain. When you use DKIM, your domain takes responsibility for your messages. This increases trust and helps prevent spoofing.

March 2022 - Google
Technical article

Documentation from RFC Editor defines DKIM as a mechanism by which email senders can digitally sign their messages, in a way that can be verified by email receivers. This allows receivers to confirm that a message truly came from the claimed sender and was not altered in transit. DKIM provides an authentication framework for email.

November 2024 - RFC Editor
Technical article

Documentation from DKIM.org explains that DKIM works by generating a cryptographic signature for each email message and then attaching the signature to the message header. This signature can then be validated by the receiving mail server using the sender's public key, which is published in the domain's DNS records.

April 2021 - DKIM.org