Wednesday 23 August 2017

Setting up DKIM for your domain / MTA

What is DKIM and how is it different to SPF?

Both DKIM and SPF provide protection for your email infrastructure.

SPF is used to prevent disallowed IP addresses from spoofing emails originating from your domain.

DKIM validates that the message was initially sent by a specific domain and ensures its integrity.

The two can (and should) be used together - since using DKIM might ensure the integrity of the email - but they can be re-sent (providing the message isn't modified) and potentially used for spam or phishing - hence employing SPF in addition ensures that whomever is re-sending the message is authorised to do so.

How does DKIM work?

DKIM (or rather the MTA) inserts a digital signature (generated with a private key) into a message that when received by another mail system is checked to ensure the authenticity of the sending domain by checking the public key via the domains DNS zone (specifically a TXT record).

Setting up DKIM

For this example we'll use the domain ''. We should firstly generate a private / public key pair for use with DKIM - this can be generated via numerous online wizards - but I'd strongly discourage this (for obvious reasons!) We'll instead uses openssl to accomplish this:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

We should also choose a 'selector' - which is an arbitrary value e.g. TA9s9D0q3164rpz

The public portion goes into a txt record in your zone file (append it to 'p=') - making sure you replace the domain '' with yours and the selector value as well!:


Value: k=rsa; p=123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789

and a second txt record - which indicates how DKIM is configured for your domain.


Value: t=y;o=~;

'o=' can either be "o=-" (which states that all messages should be signed) or "o=~" (which states that only some* of the messages are signed.)

and the private portion (along with the selector and domain name) will be provided to your MTA. (This will differ dependant on your MTA.)

Validating Results

To ensure that the DKIM validation is succeeding we need to inspect the mail headers - looking specifically at the 'Authentication-Results' header:



Post a Comment