Protecting Your Brand From Phishing: How to Create a DKIM Record

minute read

Because sites that are subject to attacks from spam and phishing emails do not always know that there is a problem, they often rely on their subscribers to tell them that something is wrong. Now, by implementing DMARC, senders and receivers can be more proactive when fighting spammers. In order to benefit from DMARC, you’ll need to be signing your emails with both SPF and DKIM. Yesterday, I dicussed how to create an SPF record, and today I’ll talk about creating and publishing a DKIM record.

DKIM, or DomainKeys Identified Mail, is a cryptographic approach to authenticating email. It was developed in part to solve some of the issues that SPF can’t solve, such as forwarded email.

The steps to utilising DKIM are:

  1. Inventory all of your sending domains. Tracking all of the domains that you are mailing from is an often overlooked step. Many organisations use different vendors for deploying email, like marketing messages, customer service messages and corporate email. I highly recommend using Reputation Monitor or Sender Score to verify you haven’t missed any domains. If you’re using Sender Score, enter your domain and then look at the bottom of the page where it says “Related Sending Domains” for further insights into domains that are sending email using your domain or brand, but you are not aware of. It’s also wise to check with those that are in charge of customer service, client services, your internal IT email admin and of course your email service provider to verify that they are signing your emails with DKIM.
  2. Install and configure DKIM on your email server. Because all outgoing email will require to be signed, you will need to install a DKIM package specifically for your email server. To verify your platform has available DKIM software, you can check DKIM.org’s site here, or check with your vendor. If you’re using an email service provider, you will need to work with them on setting up your DKIM record. If you need help with installation, you can contact Return Path.
  3. Create a public and private key pair. There are a lot of DKIM wizards, but I will use Port 25’s as an example in the post as it’s so simple that anyone can use it. But if wizards aren’t your thing, you can generate your own using openssl too. Now, enter the From: domain that you are authenticating (not the return-path domain that we used for SPF in my last post). Enter the selector name. I recommend this be descriptive to the type of email you are sending, like marketing, or newsletter. Also, ensure your key is 1024-bit or higher (Port 25 doesn’t have an option for anything lower, but if you are using your own tools, 1024 is required). A selector naming convention is a recommendation, however, as one can use any selector name and often many admins will just use “selector.” If you have questions on the best way to set this up for segmentation and policy purposes, you can contact Return Path for further advice.
  4. Publish your public key. The DKIM wizard should now have given you a selector record. This record includes the DKIM subdomain that will store the public key which is a combination of the domain and selector name. For example, domain.com with a selector of marketing will have the public key stored in marketing._domainkey.domain.com. You will store your public key in the TXT portion of that domain. Most people will need to work with their system administrtor to publish this, or if you’re using a hosted solution, most will allow you to set this up in their interface.
  5. Store your private key. Your private key will also be generated by the wizard and will need to be stored according to where your DKIM package specifies.
  6. Configure your email server. You will need to do further configuration of your system which will require you to refer to the installation instructions for your particular server or you will need to consult with your vendor.

Implementing DKIM  requires a high degree of planning and resources in most cases. We at Return Path can help you with the implementation, policy planning and enforcement and testing of DKIM. Contact us to find out how we can help.



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time

DemandTools Elements Features

DemandTools Features

GridBuddy Connect Features

Everest Features

Everest Features