Update — Due to the recently released vulnerability related to the use of weak cryptographic DKIM keys, I wrote an online tool to check and verify DKIM
TXT records, and determine their public key length: DKIM Key Checker
What is DKIM?
DomainKeys Identified Mail (DKIM) is a method for email authentication designed to detect sender address forgery (spoofing) in email, which is often used in spam and phishing emails.
How does DKIM work?
The DKIM system allows email receivers to confirm that a message claiming to come from a particular domain was authorized by the domain’s owner. This means that an email sender can prove that they’re not a spammer.
The email receiver’s system can verify this claim using the an attached digital signature header by looking up the sender’s public key published via a DNS record.
Verifying a valid signature cryptographically also assures the data integrity of the message itself by checking the sender generated hash in the
DKIM-Signature: header field.
DKIM For The Masses
You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.
It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar, Google has some specific instructions for popular domain hosts.
Checking your work
Here’s a quick tip how you can check to make sure you created the record properly and it is being served…
From a shell/console (using your own domain name, of course):
dig google._domainkey.protodave.com TXT
This should return the
TXT record you created. In my case the response is:
;; QUESTION SECTION: ;google._domainkey.protodave.com. IN TXT ;; ANSWER SECTION: google._domainkey.protodave.com. 3599 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB"
Online DKIM Checking Tools
If you don’t have access to a shell and
dig, there are also some web-based lookup tools available online:
- DKIM Key Checker (I wrote this one!)
- whatsmydns.net : DNS TXT record checker
Use “google” as the “Selector” and your domain name for “Domain name”
If you’re using DKIM to sign your email, it’s important to make sure that your public key is at least 1024 bits. Keys less than 1024 bits are considered to be cryptographic weak.