Use DKIM to keep emails out of spam bins

(This post follows on from our earlier post – which you can read here – which covered the use of SPF records to lower the likelihood that your outgoing emails are treated as spam. The use of DKIM records complements the use of SPF records, so the two approaches can be used in conjunction with one another).

What are DKIM records

DKIM stands for Domain Keys Identified Mail – unlike SPF records, which rely only on the presence of a records in the DNS to validate an outgoing email as authentic and sent from the domain that it says it’s sent from, DKIM goes one step further in validating it. All outgoing messages are tagged with a unique electronic signature – when decrypted, using a public “key” made accessible through the domain’s DNS, the signature can be verified as legitimate, lending weight to the fact that it was sent from the domain it claims it was sent from.

How do you set up DKIM

The fact that outgoing emails are electronically “signed” with a verification code means that more work is required than when setting up SPF. Unless you have root access to your server, you’ll need to ask your hosting company to do it for you. If you do have access to the server, then you can install the relevant package.

The first thing that one needs to do is choose what package you’re going to use to do the signing – the package itself is called a “milter” (short for “mail filter”) and there are two main possibilities. DKIM Milter is the traditional choice, but in recent years OpenDKIM has gained more popularity (and depending on what software you’re running on the server, may be the only choice) (it’s the one we choose to use, if that helps!).

Once set up and configured, you will have two things – a private key which, as the name suggests, should be kept private, and a public key, which should be added to your DNS records as a text record – it will look something like the below :

default._domainkey.hummingbirduk.com in TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAjtaPh7UVUlTC+Jj5KTY+IqUpx/T63iHgoCW7sNbdIbXYGsb6zgacK5rkxr66AGZs8gX0EeYvc+d9ZPRubXZcoDuQXy14SwoDlZd5kf9OfpW8m2M6tOxb6g884QGmWY5X48FtJGD20xOwGODxLraPVJ8PYxfgyBb1AuumyKvnGQIDAQAB"

Thereafter, any outgoing emails should be signed automatically. To check, you can get a one-off email address from this page to which you can send an email – the system will then send you a response with information on whether your email has been signed properly.

DKIM and Google Apps

If you run your emails through Google Apps, as a lot of people choose to do, setting up DKIM is even easier – you simply tell Google Apps that you want it to start signing outgoing emails with DKIM. When you do so, it will tell you the contents of the TXT that you need to put in your DNS records – pop that in place, and you’re away.

Author Domain Signing Practices

One final record which can be added to the DNS is an ADSP record – this is a TXT record which, as its name suggests, indicates what sort of signing rules the domain practises when it comes to DKIM. There are three possible values :

dkim=unknown
dkim=all
dkim=discardable

The first option has the same impact as not having an ADSP record, and essentially says that the domain may sign some emails, and may not sign others. The second option says that the domain will sign all outgoing emails with DKIM. The third goes a step further and says not only will all outgoing emails be signed, but any which aren’t signed should be discarded as being automatically invalid – choose this third option with care!

Shameless plug

It’s probably worth mentioning that if you were one of our hosting clients, you wouldn’t be worrying about any of this – setting up DKIM records and SPF records, along with a whole host of other little touches, is just part of the service we offer. If you’re interested, please get in touch to find out more.