Domain Keys Identified Mail

Your domain should have a good reputation and one of the things that you should absolutely consider is authentification it with DKIM.

DKIM (or Domain Keys Identified Mail) is an email authentication standard that uses a public/private encrypted key to authenticate the domain sending emails.

If you’re sending an email using an address like hello@myproduct.com, it is recommended to set up its DKIM.

When you send an authenticated email:

You should generate the key pair (public/private) to sign the outgoing email

Publish the public key to your DNS zone in a TXT record

Your private key will be used to create a signature for each outgoing email. Using a security algorithm, the content of the email is combined with this key and a signature header is generated as a result.

For more technical details, this is the official explanation taken from DKIM website:

More formally, the algorithm for the signature is as follows:

body-hash = hash-alg(canon_body)

header-hash = hash-alg(canon_header || DKIM-SIG)

signature = sig-alg(header-hash, key)

where

sig-alg is the signature algorithm specified by the “a=” tag,

hash-alg is the hash algorithm specified by the “a=” tag,

canon_header and canon_body are the canonicalized message header and body (respectively) as defined in Section 3.4 (excluding the DKIM-Signature header field), and DKIM-SIG is the canonicalized DKIM-Signature header field sans the signature value itself, but with body-hash included as the “bh=” tag.

Tags (like a=) are explained here.

The public key, however, should be set in the TXT record.

Example:

1505000725.myproduct._domainkey.myproduct.com. IN TXT (

"v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCywF+6HiUIwHRoteLxFoSYLyxT"

"WnKB/u9t8HB7kTwy6F5LYqeg6DZp8X6psgKxbrIdxw9Eyhs7xworO+126K+0Xb/r"

"ch7fDgaBSz4PsEW6IA/vDMIgQIKBLH+i/NlMVoPWcjwM1+Jl7fVezKjzjuNOCUFN"

"iD2vFpj29wYX9II/EQIDAQAB"

)

This could be checked using the dig command, but you should already know in advance your record:

dig TXT 1505000725.myproduct._domainkey.myproduct.com.

These are some technical details. What you should keep in mind is that authentication is important.

Let’s see how

Your customer is using an SMTP server to receive your email.

If you enabled DKIM, this server will detect the authentication in the header of the sent email and will ask the sending domain about its DNS, more specifically about the TXT record.

This allows the SMTP server to get your public key because it allows anyone actually to check if the email was sent from your domain or not.

Even when not exposing the private key, just using the signature with the public key, a system can tell if your private key was used to generate this signature or not.

This allows the receiving server to know also if message headers and content have not been altered during transit.

This is a typical check when sending regular campaigns STMP servers of companies like Google, Yahoo or any other email provider will automatically check the signature.

If the check fails or if the signature doesn’t exist, your email will be flagged and at a larger scale considered as a spam and you could get your IP blacklisted.