DKIM (DomainKeys Identified Mail) is a method to validate the authenticity of email messages. When each email is sent, it is signed using a private key and then validated on the receiving mail server (or ISP) using a public key in DNS. This process verifies that the message was not altered during transit.
Why should I have a DKIM record?
While DKIM isn’t required, having emails that are signed with DKIM appear more legitimate to your recipients and are less likely to go to Junk or Spam folders. Like SPF, passing DKIM is required for Domain-based Message Authentication, Reporting & Conformance (DMARC), a newer standard to reduce email spoofing which builds on top of SPF and DKIM.
In addition to verifying the authenticity of an email message, DKIM also provides a way for ISPs to track and build a reputation on your domain’s sending history. This is why we strongly encourage signing DKIM with your own domain, allowing you to build a reputation as opposed to using our sending domain. This reputation is portable and will help you control your reputation and sending practices across multiple sources.
How does DKIM work?
Similar to SPF, DKIM also uses DNS TXT records with a special format. When a private/public key pair is created, the public key is added to your domain’s DNS:
pm._domainkey.domain.com IN TXT "k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOCTHqIIQhGNISLchxDvv2X8NfkW7MEHGmtawoUgVUb8V1vXhGikCwYNqFR5swP6UCxCutX81B3+5SCDJ3rMYcu3tC/E9hd1phV+cjftSFLeJ+xe+3xwK+V18kM46kBPYvcZ/38USzMBa0XqDYw7LuMGmYf3gA/yJhaexYXa/PYwIDAQAB"
Unlike SPF, you can maintain many DKIM records for various sending sources. Each DKIM record is identified using a selector. In the case above, the selector is pm as a way to identify Postmark. By using a different key pair for each provider, you can easily revoke or renew DKIM records as needed.
Postmark uses 1024-bit DKIM keys to sign emails.