DKIM (DomainKeys): Needed for Deliverablity

September 20th, 2012 by Mark Lewis

Originally DomainKeys, DKIM has emerged as an important email authentication system for deliverability of email campaigns. DKIM signing is becoming more standard throughout the email marketing industry, particularly as more and more forged emails become prevalent.


Many email services, like Hotmail, Yahoo, and Gmail, perform DKIM checks on emails which have a DKIM signature to verify the sender of the email is authentic. Of these, GMail is quite sensitive to user complaints and attempts to bad or inactive email addresses. Greylists are often applied to offending IP’s which results in email delivery delays of several hours. Those delays can result in the eventual bouncing of the emails awaiting delivery. With GMail as the largest email provider, avoiding greylisting is extremely important. While clean, opt-in email lists are the best means to a high delivery rate, DKIM will help prevent these greylist blocks.

In DKIM, the sending SMTP server adds a DKIM signature to the outgoing email. This signature is a string generated by encrypting parts of the email with a private key. The parts of the email can be the FROM: header, SUBJECT: header, part of the body, etc. The signature also specifies the name of the key to use. The receiving server, upon receiving the email, queries the domain of the email in the FROM: header for the public key to decrypt the signature. If the decrypted information matches those parts of the email that were encrypted, the email is authenticated.

In deploying DKIM, you configure a mail server to DKIM sign emails for a specific sending domain. In doing so, you are authorizing that server to send mail for your domain. The first step is to create a private/public key pair on the sending server using OpenSSL:

openssl genrsa -out emt.private.pem 1024

This will create a 1024 bit private key the outgoing server will use to create the DKIM signature. The SMTP server must be configured to use this key. In configuring the server to use the key, the key is named with a selector. This selector will appear in the DNS TXT entry for the sending domain. How to configure the SMTP server to use this private key varies depending on your server. Please refer to SMTP server’s documentation. Email Transmit clients need not worry about this step as Mass Transmit will generate and configure everything required for all emails sent through your account. domain keys

The next step is to generate the public key from the private key:

openssl rsa -in emt.private.pem -out emt.public.pem -pubout

The public key is to be published in the DNS for the domain you will be sending from (i.e. the domain in the email address that will be in the FROM: header originating from this server). Email Transmit clients will be provided this public key with instructions on how to create the DNS record for the domain which will appear in the FROM: header for emails originating from Email Transmit.

To publish the public key in the domain’s DNS (i.e., a TXT record is created with the name selector is the name given to the key which will be provided with the DKIM signature. The record itself has the form:

k=rsa; p=PUBLICKEY;

where PUBLICKEY is the string of characters from the generated public key without spaces or line breaks. There are other options you can specify in the TXT record. Refer to the DKIM spec for more information. EmailTransmit clients will have to work with their DNS manager to implement the TXT record for their domain.

Once in place, you can query for domain key:

dig -t TXT

Windows CMD prompt:
nslookup -type=txt

Now test the outgoing mail server and DNS setup by sending an email. AdminSystem Software will test your implementation and send a report to the email in the FROM: header of the test email sent to their service.

For all email marketers email deliverability is vital, and DKIM is one important step to ensure that your email arrives at its intended destination.

If you are an Email Transmit client and are not currently set up for DKIM authentication, we’d like to help. Please contact your dedicated account manager for more information.