DKIM Troubleshooting Guide
DKIM Troubleshooting Guide
- March 29, 2022
- Posted by: Nicola Selenu
- Category: DKIM , Email Authentication , GUIDES ,
Intro to the DKIM Troubleshooting Guide
What is DKIM
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
TopDeliverability DKIM Field Manual
This DKIM Troubleshooting Guide wants to provide an easy way to solve common issues and mistakes while dealing with DKIM records. It’s meant to be read and used by everyone, regardless their level of knowledge and understanding of Email Authentication.
In order to make this DKIM Guide a true “Field Manual”, the main focus is on Common Mistakes (and Solutions) with regards to DKIM Records.
DKIM Syntax For Dummies
If you are interested in learning DKIM and Email Authentication in more detail, Top Deliverability provides Advanced Deliverability Courses.
For the purpose of this DKIM guide, this is all that you need to know:
- DKIM works with 2 keys: a private and a public key.
- DKIM private key is implemented by the sending infrastructure to “digitally sign” the outgoing messages.
- DKIM public key is published as a TXT record on the DNS of a sending domain and it allows recipients (ISPs) to validate the message.
- The record location for the public key is defined by the “selector”:
So, for example, if the selector is “dk1” and the domain is “topdeliverability.com”, the DKIM key will be published on:
The TXT record with the DKIM key will look like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDsRhw52Ldz6Cz4LYdSfDdCGi1x+SmR/xT+6PhGzvZfEgQN8SzRrQBnvmTW/Rizuivul+iq4bbS3Dc4S0ZoDkdG30jr4NRK35lGcDRWUV3XYsgX8Y5FzTFP73dbO9vHv3UVxmH0/giIOZ2j4xzIad7VHjn2AvDUafv2UkIwk/qlQIDAQAB
It’s a single string with a few elements:
v=identifies the string as a DKIM record (DKIM1)
k=indicates the key algorithm. Can be omitted (then
p=contains the encoded public key.
Table of Contents
INTRO TO DKIM TROUBLESHOOTING
What is DKIM
TopDeliverability DKIM Field Manual
DKIM Syntax for Dummies
COMMON DKIM MISTAKES
Common DKIM Mistakes
A common mistake while publishing a DKIM key is using a mistyped string. Forgetting a character, changing the case of the characters or adding extra spaces will immediately invalidate your key.
HOW TO FIX IT: make sure to check the validity of your key with an external tool (for example: dkimcore.org). This will tell you immediately if you entered a correct value or not.
If you are have multiple mailstreams (= using multiple platforms and infrastructures to send emails) you are probably signing DKIM with different keys. Those keys should be hosted on different location, so they should have different selectors.
HOW TO FIX IT: make sure to use the right selector for each of your mailstreams. Do not mix up their content and do not use the same selector for multiple mailstreams!
EXAMPLE: ActiveCampaign uses the dk selector. Campaign Monitor the cm selector. MailChimp uses mandrill. They are different with a different key.
Some DNS providers auto-append your domain name so you don’t have to type it – others will require you to type the full location. If you do the latter with a provider that auto-appends your domain, you will end publishing the key on a wrong location. Something like
._domainkey<.mydomain.com><.repeateddomain.com> instead of
HOW TO FIX IT: If you can’t find your DKIM key after publishing or if you are not able to sign your message, make sure to double check if you published it on the wrong location by mistake.
Switching the host name and value field
Especially if you are not too familiar with DNS, or you don’t implement records too often, you might inadvertently switch the content of the hostname and the value.
HOW TO FIX IT: double check with an external DNS Tool to make sure the content of the fields are not reversed.
Improper DKIM Alignment
Especially with regards to DMARC compliance, a common issue is to DKIM sign on the domain (d=) different from the sending domain (5322.From).
Those domains should match or DMARC (if present) will fail. Even in absence of a DMARC record, DKIM alignment is considered a positive signals that more and more ISPs expect from a legitimate sender.
HOW TO FIX IT: make sure that you are DKIM signing all your messages using your sending domain. 5322.From domain and d= domain must match.
Oversigning is about signing some headers twice just by including it multiple times in the list of fields to sign. It helps mitigate DKIM replay attacks by enforcing that there is only a single, unchanged copy of sensitive headers and they cannot be added afterwards, in case they are not provided initially (check RFC6376 5.4).
HOW TO FIX IT: Make sure to sign the “
To:” Header twice. Consider oversigning
Reply-To: as well.
Not setting an Expiration Time
x= is the DKIM signature expiration time. The value of this tag must be greater than the value of the timestamp (
t=). DKIM signatures may be considered invalid if the verification time at the verifier is past the expiration date.
The purpose of setting DKIM signature expiration is to prevent attackers from replaying an old message.
Since replay attacks are likely to be automated (they can be executed in a relatively short time frame) and the DKIM expiration tag may invalidate legit mail (e.g. sitting in the queue for a long time) this option should be considered very carefully.
HOW TO FIX IT: Implement a
DKIM Signing way too many headers
It is recommended to DKIM sign as many headers as you can but please, do it carefully. Unfortunately doing so indiscriminately might be resource expensive AND, just by adding complexity, it increases the risk of hashing errors – so we think caution should be recommended.
HOW TO FIX IT: Sign as many headers you can ..without breaking anything. Make sure to not sign anything that might change, for example, when the message is forwarded.
DKIM key is too long
You can be tempted to use a big DKIM key to sign your emails. While it’s important to have a DKIM key with a length of at least 1024Bit (and sha256 as an algorithm), it’s also important to avoid keys equal or longer than 4096Bit that can be too big to handle for many systems out there.
HOW TO FIX IT: Please use keys with a length of 1024 or 2048 Bit and a secure algorithm. Frequently rotate your keys for improved security.
DKIM Key sharing
Every sender should have a unique key. If your key is shared across other senders there is a problem. Sometimes ESPs are too lazy to generate a unique key for each customer.
HOW TO FIX IT: contact your ESP and ask them to generate a custom key for you.
No Key Rotation
Not rotating keys is terrible from a security point of view. With enough time or processing power a malicious actor can defeat DKIM keys, allowing them to literally impersonate you and your business. That’s why replacing older keys with newer keys (AKA Key Rotation) regularly is strongly recommended.
HOW TO FIX IT: Rotate your Keys frequently. If you cannot automate the process, make sure to allocate some dedicated time every 3-6 months.
EXAMPLE: It’s common to use 2 keys at the same time during the transition period.
If you liked this DKIM Troubleshooting Guide,
you will love the SPF Troubleshooting Guide
and the DMARC Troubleshooting Guide!
Author: Nicola Selenu
- Term: Cryptographic Signature
- Term: Email Marketing
- Term: Authentication
- Term: Deliverability
- Term: Infrastructure
- Term: Sending Domain
- Term: Malicious Actor
- Term: DKIM alignment
- Term: Key Rotation
- Term: Encryption
- Term: TXT Record
- Term: Receiver
- Term: Campaign
- Term: RFC6376
- Term: Contact
- Term: Header
- Term: Domain Message Authentication Reporting & Conformance (DMARC)
- Term: Sender
- Term: SHA256
- Term: DomainKeys Identified Mail (DKIM)
- Term: Domain Name System (DNS)
- Term: Internet Service Provider (ISP)
- Term: RSA
- Term: Email Service Provider (ESP)
- Term: DomainKeys (DK)