DNS DKIM Record

A DomainKeys Identified Mail (DKIM) record is a special type of DNS TXT record which helps authenticate emails.

What is DKIM

Spoofing emails is a very popular and relatively easy way to maliciously gain access to secret or private information. Spoofing means that an attacker may send an email to you or one of your coworkers and it may appear to come from inside your company or from another reputable source. If you don’t dive deeper into the header information of that email and see that it’s actually from another suspicious source, it’s very easy to reply and possibly answer questions that may give away personal or private information.

By using DKIM records this may be prevented before the user even receives the email. Other types of records that may help with email security are DMARC and SPF records.

#DKIM DNS Record Example

A DKIM record itself is just a TXT record which contains a public key in the value field of the record. All DKIM records will include “._domainkey.” within the record name as shown below. There are several optional values that may be included in a DKIM record as well, such as version and DKIM selector. A selector value is specified in the DKIM record and contained within the email header. It tells the receiving mail server where the public key is located.

Name

Type

Value

mail._domainkey.menandmice.com

TXT

v=dkim1; s= s2048gl; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy

MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3

GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAC;

How does DKIM work?

A DNS DKIM uses public and private key pair encryption to ensure the authenticity of a received email. Like other DNS records, a DKIM record will be stored in a DNS zone. The DKIM record is just a TXT record with a public key in the value field, with other required or optional values which can be found in RFC 6376.

Emails that are sent from a particular domain will include a DKIM header which contains the private key part of the key pair. Then the receiving mail server can check the DKIM record from the sender domain to get the public key and verify the private key, or digital signature as it’s sometimes called.

An email header is a code snippet within an email which contains tracking information about the recipient, sender, and even email routing information. You can manually look at email header information, but it will depend on which email client you’re using. For example, in Microsoft Outlook you can click on File >> Properties on the email itself and find the Internet Headers.

How do I create a DKIM Record?

Creating a DKIM record will depend on the DNS service you’re using in your environment. If you’re using Micetro, by Men&Mice, you can create a DKIM record by doing the following:

  1. Open the Micetro Web UI
  2. Click on DNS and open the zone for which you’d like to have a DKIM record
  3. Click Create
  4. Provide a name, record type, and TTL
  5. In the Text field, provide the required information for the DKIM record such as the public key information or recommended optional information like the DKIM Selector.

Create DNS DKIM Record.jpg