Home/Blog/Cybersecurity/DKIM Configuration Complete Guide: Key Generation, DNS Setup, and Best Practices
Cybersecurity

DKIM Configuration Complete Guide: Key Generation, DNS Setup, and Best Practices

Master DKIM email authentication with comprehensive coverage of key generation, DNS record setup, selector management, key rotation, and troubleshooting for major email platforms.

By Inventive Software
DKIM Configuration Complete Guide: Key Generation, DNS Setup, and Best Practices

DKIM Configuration Complete Guide

DKIM (DomainKeys Identified Mail) adds cryptographic signatures to your emails, allowing receivers to verify authenticity and detect tampering. This guide covers everything from key generation to production deployment.

How DKIM Works

DKIM Record Structure

Generating DKIM Keys

Using OpenSSL (Standard Method)

-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAszLfGbitgbShFNHJp4Em 7jPMCvyFMKFQtxCO/HaY5qUwSKm4LabCp6wP8SNX6ldPejuGbVE7YG+yuuOL4ffP O69RZnRYftdE4bE6YNiQLTc9deGuuyI7S6BVEF7NbHIC30VVfENwY8pyoGk1lMgP d4sdZEet7yQHgAwWYT2lPehcg657viWkjtdyvuEc8X0eVDVZq2cDh2WK0tz+PHcU x7rx8iu1AG2JdJ779mjgu8tgTmE0dfuVbbI5jFZcXMCHfRgHQ/eP+0MX+18NC6KZ U1qwfJtjBxW3imudhCQv+97M2fLxcbtndvlBYyZdEXf053N1tkc6PstACpxlVvgF oQIDAQAB -----END PUBLIC KEY-----

Output:

Format for DNS Record

Remove headers and line breaks to create the DNS value:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAszLfGbitgbShFNHJp4Em 7jPMCvyFMKFQtxCO/HaY5qUwSKm4LabCp6wP8SNX6ldPejuGbVE7YG+yuuOL4ffP O69RZRYftdE4bE6YNiQLTc9deGuuyI7S6BVEF7NbHIC30VVfENwY8pyoGk1lMgP d4sdZEet7yQHgAwWYT2lPehcg657viWkjtdyvuEc8X0eVDVZq2cDh2WK0tz+PHcU x7rx8iu1AG2JdJ779mjgu8tgTmE0dfuVbbI5jFZcXMCHfRgHQ/eP+0MX+18NC6KZ U1qwfJtjBxW3imudhCQv+97M2fLxcbtdvlBYyZdEXf053N1tkc6PstACpxlVvgF oQIDAQAB

DNS TXT Record Value:

Generating 4096-bit Keys (High Security)

Note: 4096-bit keys exceed DNS TXT record limits (255 chars per string). Most DNS providers handle splitting automatically, but verify your provider supports this.

Ed25519 Keys (Emerging Standard)

DNS Record for Ed25519:

Platform-Specific Configuration

Google Workspace

Admin Console Setup:

  1. Go to Admin ConsoleAppsGoogle WorkspaceGmail
  2. Click Authenticate email
  3. Select your domain
  4. Click Generate new record
  5. Select 2048-bit key length
  6. Note the selector (e.g., )
  7. Copy the TXT record value

DNS Record:

  1. Wait 24-48 hours for propagation
  2. Return to Admin Console and click Start authentication

Microsoft 365

Exchange Admin Center Setup:

  1. Go to Exchange Admin CenterMail flowRules
  2. Or use PowerShell:

DNS Records (CNAME):

Postfix (Linux Mail Server)

Install OpenDKIM:

Generate Keys:

Configure OpenDKIM (/etc/opendkim.conf):

Configure Key Table (/etc/opendkim/KeyTable):

Configure Signing Table (/etc/opendkim/SigningTable):

Configure Postfix (/etc/postfix/main.cf):

Start Services:

Amazon SES

Enable DKIM (AWS Console):

  1. Go to SES ConsoleVerified Identities
  2. Select your domain
  3. Go to Authentication tab → DKIM
  4. Click Generate DKIM tokens
  5. Add the provided CNAME records to DNS

DNS Records (CNAME):

Using AWS CLI:

SendGrid

Enable DKIM (Dashboard):

  1. Go to SettingsSender Authentication
  2. Click Authenticate Your Domain
  3. Select DNS host and enter domain
  4. Add the provided DNS records

DNS Records:

DKIM Signature Header Explained

Canonicalization Explained

Key Rotation

Rotation Process

Rotation Script

Add this DNS record:

After DNS propagates, update these files: KeyTable: mail2026._domainkey.example.com example.com:mail2026:/etc/opendkim/keys/example.com/mail2026.private Then restart: systemctl restart opendkim

Testing and Verification

Verify DNS Record

"v=DKIM1; p=" Server: 192.168.1.1 Address: 192.168.1.1#53

Non-authoritative answer: mail._domainkey.example.com text = "v=DKIM1; p="

Authoritative answers can be found from:

mail._domainkey.example.com descriptive text "v=DKIM1; p="

Test with Email

Send a test email to a major provider (Gmail, Outlook) and check headers:

Online Testing Tools

  1. mail-tester.com - Send email, get detailed report
  2. dkimvalidator.com - Check DNS record format
  3. mxtoolbox.com/dkim.aspx - DNS lookup and validation

Command-Line Testing

Troubleshooting

Common Errors

ErrorCauseSolution
DNS record missing or not propagatedCheck DNS, wait for propagation
Key mismatch or message modifiedVerify key pair match, check intermediaries
Body modified in transitUse relaxed canonicalization
DNS timeoutCheck DNS server availability
Malformed DNS recordFix syntax errors in TXT record

Debug Checklist

Best Practices

Security Recommendations

  1. Use 2048-bit RSA keys minimum - 1024-bit is deprecated
  2. Rotate keys annually - More frequently for high-security
  3. Protect private keys - Restrict file permissions, consider HSM
  4. Use relaxed canonicalization - Better survivability
  5. Sign important headers - from, to, subject, date, message-id
  6. Monitor DMARC reports - Detect misconfigurations early

Selector Naming Conventions

ConventionExampleUse Case
Service-based,Third-party email services
Date-based,Key rotation tracking
Sequential, ,Simple rotation
Environment,Multiple environments

Multiple Sender Configuration

Tools

Don't wait for a breach to act

Get a free security assessment. Our experts will identify your vulnerabilities and create a protection plan tailored to your business.

Get Free Security AssessmentSee Our Security Services

Related Tools

🔍

DNS Lookup

Query DNS records with email security analysis and health scoring

NetworkTry it →
📧

DMARC Record Generator

Generate DMARC records with step-by-step wizard, preset templates, and deployment roadmap

SecurityTry it →

Related Articles

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Master the formal security models that underpin all access control systems. This comprehensive guide covers Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, lattice-based access control, and how to choose the right model for your organization.

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Database Inference & Aggregation Attacks: The Complete Defense Guide

Database Inference & Aggregation Attacks: The Complete Defense Guide

Learn how inference and aggregation attacks exploit aggregate queries and combined data to reveal protected information, and discover proven countermeasures including differential privacy, polyinstantiation, and query restriction controls.

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

Master NIST SP 800-88 Rev. 1 media sanitization methods including Clear, Purge, and Destroy. Covers SSD vs HDD sanitization, crypto erase, degaussing, regulatory compliance, and building a media sanitization program.

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.