A DKIM FAQ from SendGrid’s Email Compliance Team

Best Practices

DKIMMaking sure your email is getting delivered to the right person at the right time in the right frequency with the right message is the key for email deliverability. SendGrid’s email compliance team lives and breathes all things email, but we also know that not everyone shares our passion and knowledge. To better help you get your next email delivered, we’re providing the most frequently asked questions and answers about DKIM:

What is DKIM?

  • DKIM stands for Domain Keys Identified Mail.

  • It is a cryptographic technology created by Cisco and Yahoo.

  • DKIM is the 2nd version of this technology, the original version is Domain Keys.

  • DKIM allows senders to publish a public key that an ISP will use to verify that the email message didn’t change in transit and the sender can take ownership of the content.

How does DKIM work?

  • A sender adds a private key on their mail servers and signs the message.
  • The receiving server checks the public key stored in the txt record of dkimselector._domainkey.domain.com to validate the private key added by the sender.

What are the top DKIM tips?

  • DKIM needs to be the last thing added to the message before it’s sent. If a signature, blank space, another header – anything – is added after, it will fail.
  • The header, or both the header and the body can be signed. Gmail recommends that you sign both.
  • The Yahoo feedback loop is based on a senders DKIM signature, they use parts of the signature to match a sender with a complaint. If you’re not using DKIM, (or Domain Keys) you can’t use the Yahoo feedback loop.
  • Most SendGrid customers will have our standard DKIM inserted into the header automatically.

How is SPF different from DKIM?

SPF allows senders to tell ISPs which IPs are able to send on their behalf. DKIM allows ISPs to verify that the content sent is what the original sender intended.

Why are both needed?

Neither SPF or DKIM fully secure an email. Each is missing an important piece. SPF is missing message verification and DKIM is missing a way to verify where the message is coming from. Both are needed to be a secure email sender.

How does DMARC relate to SPF and DKIM?

DMARC allows a sender to tell ISPs how to handle mail that doesn’t pass SPF or DKIM.

Are there any resources out there that I can use to learn more about DKIM?

Of course, check out: http://dkimcore.org/tools/keycheck.html and http://www.dkim.org/.

To learn more about implementing DKIM, SPF, or DMARC with your SendGrid account and messages, you can contact SendGrid Support.

More Posts by Luke
Luke is a software developer with a passion for solving tough problems. He's been tasked with building tools that automate and simplify the work of SendGrid's compliance and delivery teams. He loves that SendGrid encourages him to grow as a developer, and he hopes to pay it forward by doing everything he can to help SendGrid grow as a company.