×

[Archived] - Marketing: DKIM Records

Modified on Thu, 23 May at 11:12 AM

Hello, and welcome to this guide to DKIM. You might have never heard of DKIM before, or you might already be familiar with this topic. If you are interested in learning more, then read on!

The purpose of DKIM is to help ensure your custom domain maintains a good reputation with email systems like Gmail, Outlook, Yahoo!, etc. Using DKIM with your custom domain and emails builds trust and improves email deliverability so that your legitimate emails don’t end up in your recipient’s spam folder or, worse, not delivered at all.

In this article, we will guide you through what DKIM is, provide details on how it works, and explain why you want to use it.

Table of Contents


Requirements

  • A custom domain with access to the DNS settings.

What is DKIM?

DKIM stands for Domain Keys Identified Mail. It is a technique used to cryptographically sign and verify emails to ensure that the email belongs to whom the sender claims to be and the email is not modified in transit.

Back to Top


Public Key Cryptography

DKIM uses public key cryptography, which utilizes a pair of keys (the “K” in DKIM).

One is a private key used only by the email server to digitally sign the email before it is sent. The private key is not provided to you and never shared with anyone; if someone else obtains the private key, they can sign their emails with your custom domain’s signature, pretending to be you.

The other key is a public key that is put into your custom domain’s DNS records so that other email systems can use it to verify the signature created by the private key. As the name implies, it is safe to share the public key because it cannot be used to sign emails; it can only be used to verify signatures that were created by its paired private key.

The content of the signed email can be verified because the signature is generated by using the content itself. Therefore, if the contents were modified, the signature would no longer match. Each email server that sends emails using your custom domain will have its own key pair to sign the emails and verify the signatures. As was already mentioned, the public key is placed into your custom domain’s DNS records, proving your ownership of the domain to any email system.

Back to Top


The DKIM Public Key and DNS Record

The type of DNS record used by DKIM is called a TXT record, which is a generic record type that can contain any information.

When an email service provides you with a DKIM Key or a DKIM DNS record, it gives you a hostname that includes the DKIM selector. The selector is used to identify this specific DKIM key on your custom domain. As mentioned before, this allows email systems to find your DKIM Public Key to verify signatures.

The format for the hostname is always <selector>._domainkey.<domain>. For example, a hostname for a DKIM key with a selector of mykey1 for the domain mydomain.com would look like this:

mykey1._domainkey.mydomain.com

If you use a subdomain for your emails and the DKIM key, you must include the subdomain in your hostname when adding the DNS record. For details about adding a specific DNS record to your domain, please contact your domain’s DNS provider for support.

The value/data for the DNS record includes the public key portion of the key pair. The key itself is placed inside a tag in the DNS record alongside other information about the key and technique used by the email service. A semicolon is used to separate each tag.

Here is an example of a DNS record value/data for a DKIM Public Key provided by an email service:

k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtv3C88jzfjWTEW16YGr4z4kthC8H47feXwR+9KmyGZZqefe2WLwX/k7d2I0oqejXyASqIG5U6Knm+d7oM0FJKgzR4/RLDdStbR64tlTnk+xx6iPEkAZRvT2nJn7TJaJwRXspD163DA94LWs5EjVGHilAJN+YcjLWaPVKQ7S2IYkIm2bcy97TGE+veKwca2Pb5hQZvtVM/Sf40JrUQyfHj8NoQyc+gUq9OsleR8+igPmTPgeF0zxchNcgv1MXu2dZxPkrtX091UvHbavIO6yDqQcUMN3JJ2BLg92sx59SR9gp73lya1fOB0GjWxQ3x1axAOxV3CEaV9gIR+95Q6aywwIDAQAB

The k tag indicates the type of key, and the p tag is the key itself. Other tags might be included, such as v (DKIM version), h (hash algorithms), or t (flags).

The email service will generate the necessary public key and associated DNS record, so we do not need to know this information ourselves. However, you must enter the data into your DNS records accurately.

In ClickFunnels, a key pair and DNS record are generated for the root of a domain whenever you add a new domain in the Domains section of your ClickFunnels account. You can see this DNS record during the domain setup process in the screenshot below:

CF2 DKIM DNS Record

For step-by-step instructions on adding a new domain to your ClickFunnels account, please refer to these documents:

You can also manually verify your DKIM DNS record from your ClickFunnels 2.0 account at any point. For step-by-step instructions on verifying a DKIM DNS record, please refer to this document:

Back to Top


The DKIM-Signature Email Header

Whenever an email is signed with a DKIM key, the signature is placed into a new email header called the DKIM-Signature header. This header is only visible to the recipient if they know how to display headers in their email client.

Here is an example of a DKIM-Signature header:

DKIM-Signature: a=rsa-sha256; bh=9rk1uW97XD04yMnFUEvEVJRvvedhAAyNXEUZQKDFf+8=; c=simple/simple; d=mydomain.com; h=X-Mailer-Info:List-Unsubscribe:List-Unsubscribe-Post:Subject:From:To:Date:Message-ID:Content-Type:Content-Transfer-Encoding; s=1669933577; t=1670437223; v=1; b=rc45jZEHAdbXtPAgJ2SX5BmrIgI/xMkUpVDzC8Is4BS+eFVnVkQ9zLNZl55Ymhno5X1N/Hh9 bMBU++FbhYkKEI2uz/rISLBbPkp1M5dZM+sh9IbiFBewTGUXgV1V6dFgj3xFTn1msFjDRgXpnhM E+jwr0v+b8emtjezJ+lvVzAy7z9DGHql+AlHqbB3XPRHt2IWyZ0WVtWneIXJVDvTZI7Fgh1pRei GRLYnHxEU6lWHf8Mn1OFs4rCTvuYCJjIP41vPAALexnDGpf70EnIh5iv9gZmSKoiaB3bhEKg3Xs D3AudRWwQznyeaMnw9GMuSOZIH5CPZWHntu4H30lmMiew==

As you can see, the DKIM-Signature header is composed of tags separated by a semicolon. Let’s go over the purpose of these tags.

  • a: The algorithm used to generate the signature.
  • bh: The hash of the body of the email.
  • c: The canonicalization algorithms used on the header/body before the signature is created.
  • d: The signing domain.
  • h: A colon-separate list of which email headers get included in the signature.
  • s: The DKIM selector.
  • t: The UTC timestamp of when the signature was created, expressed as the number of seconds since 00:00:00 on January 1st, 1970 (Unix Epoch time).
  • v: The DKIM version being used.
  • b: The signature of the email (headers and body).

There are additional tags that may be included if the email server chooses to. The main tags to be familiar with are the selector (s) and the signing domain (d).

When an email system receives an email with a DKIM-Signature header, it will use the selector and the domain tags to form the hostname (<selector>._domainkey.<domain>) of the DNS record you published, which contains the DKIM public key. The email system will then use that public key to verify the signature (b) and, therefore, the email message itself. If the signature is successfully verified, then the DKIM test has passed; otherwise, if the signature does not match, then the DKIM test has failed.

Back to Top


Troubleshooting

  • A domain registrar or DNS provider does not support TXT records longer than 255 characters.
    • ClickFunnels uses a 2048-bit DKIM TXT record, which is longer than some domain registrars will support. In this case, please use a different DNS provider, such as Cloudflare, to manage your domain’s DNS records. Please see Cloudflare’s documentation for more details.

Back to Top


More Information

DKIM alone does not fully prevent spoofing, but when used with DMARC, it will go a long way to help limit this type of threat. For further information about securing your domain and email messages, please see our documentation listed below:

Congratulations! You have successfully set up DKIM for your custom domain and emails, improving your domain’s reputation and email deliverability.

Back to Top

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article