As I’ve wrote in the article: “10 Tips for Auditing & Improving Mail Server Performance“, Dkim or Domainkeys is one feature that can be used to increase the acceptance rate (eligibility) of email on the destination mail server.
DomainKeys or DKIM signature basically allowing good senders to “sign” a message to prove that it really did come from them. This process is obtained by signing the outgoing mail with a specific code corresponding domain name and identity of the mail server so it is considered valid and convincing as an authorized sender.
Domain Keys Identified Mail (DKIM) is a technology designed to make it difficult or impossible for criminals to steal the identities of legitimate organizations. This authentication technology allows good senders to “sign” a message to prove that it really did come from them..
DKIM originally written as sender authentication protocol developed in order to address the problem of forged email messages. Yahoo! released the DomainKeys specification and Cisco released the Internet Identified Mail specification. Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
The problem is, DKIM is not very easy to set up. We need to setup the mail server and also add a TXT records into public DNS server. Not all providers provided and authorized us to add or modify TXT records. In some cases, we must create a support ticket so they make the TXT records according to our requirement. If so, how can we check that the TXT records are made is correct?
There are 4 ways that we can do to test DKIM Records in DNS, which is as follows:
- By using CLI with the following command : dig namaselector._domainkey.namadomain.tld TXT ex : dig selector._domainkey.vavai.web.id TXT. Belor are an example of the response :
# dig selector._domainkey.vavai.web.id TXT; <<>> DiG 9.7.1-P2 <<>> selector._domainkey.vavai.web.id TXT
;; <span class=
>global options</span>: +cmd
;; Got answer:
;- opcode: QUERY, status: NOERROR,
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
. IN TXT;; ANSWER SECTION:
. 172800 IN TXT
"v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ5IZT5e5nvmkotroz5ylTlwU8yEEZ+v/576aI+w6TkbP4XibYxDsWVweXXtVeQQmw8AwYuK5R9b373Xqu+Hv9HNAJoAteKF/qlKcZc5Akhj5B7P1imXaurZkkIBp63yBZyZRralzQYNT3UrVB7M/xONMWXcU9xm7Zv1PzH1Y1OQIDAQAB"
: 85 msec
;; SERVER: 192.168.1.1
;; WHEN: Mon Dec 5 08:18:00 2011
;; MSG SIZE rcvd: 316
- By using web : http://dkimcore.org/tools/dkimrecordcheck.html. Type the name of the selector and the domain name then click the Check button.
- By sending a blank email to the following address : firstname.lastname@example.org email@example.com or firstname.lastname@example.org and check the respon.
- By sending an email to a Gmail address or Yahoo and see the message headerSigned By as shown below`
Hopefully this can help to check whether your DKIM records meets with standard or still require a modification.