Published on 

What is DKIM?

DNS is no easy topic. It's a complex protocol that powers vast parts of the internet. It's also a protocol that is often misunderstood. In this series of posts, we'll dive into some of the basics of DNS and how you can use it to improve your email deliverability.

This post covers the essentials of DKIM (Domain Keys Identified Mail) and what we learned along the way at Plunk. We hope it helps you to improve your delivery too.

What is DKIM

Why does it exist?

One of the most important topics of email trust is the guarantee that the email you're sending is actually sent by you and that it hasn't been tampered with by someone in the middle. We can do this by signing our emails with a signature. This DKIM signature proves that the email has not been tampered with and that it has been sent by you.

We encrypt the details of the email on our end using a private key. The matching public key is published in our DNS records. Your email provider can use that public key to verify the hash of the email. If the hash matches, we can be sure that the email has not been tampered with and that it has been sent by the owner of the corresponding secret key.

What is DKIM
An illustration showing a simplified DKIM authentication flow

Is it difficult to implement DKIM?

Depending on your situation, it can be as easy as just adding the DNS records to your domain. Most infra providers like AWS and Microsoft Azure have abstracted the process of generating, maintaining and rotating the keys. These providers take in your domain and just return the DNS records you need to add, in most scenarios you can't even see the secret key behind them. The same goes for email providers like Plunk.

If you are managing your own setup then you can have a look at various open-source packages like OpenDKIM. A tool like OpenDKIM is designed to assist you in the maintenance of your DKIM.

Is only DKIM enough?

In today's digital world, email security is of utmost importance. There are multiple methods to ensure the authenticity of an email, but is only relying on DKIM enough to protect your emails from potential threats like phishing and spoofing? The answer is no.

DKIM only provides a way to verify that an email was sent from a domain and that its content wasn't tampered with during transit, but it can't protect against all types of threats. It's crucial to implement a comprehensive email security solution that includes multiple layers of protection such as SPF, DMARC. By combining these methods, you can ensure the safety and confidentiality of your email communications.

What happens to my email if DKIM fails?

There is no perfect answer for this as all email clients have their own way of handling DKIM failures. Some will still send your email to the spam folder, others will block it entirely. If a client receives too many failures from your domain, they may even block your entire domain from ever sending to that client again.

Getting your DKIM setup right is critical and definitely not something you should try doing yourself. Leave it to people who know what they are doing because it can mean the difference between inbox and spam.