What is a DKIM Record?

DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers.

It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit.

Once the signature is verified with the public key by the recipient server, the message passes the DKIM check and is considered authentic.

The process of setting up DKIM can be split into the following steps:

Choose a DKIM selector.
Generate a public-private key pair.
Publish the selector and public key by creating a DKIM TXT record.
Attach the token to each outgoing email.

Before we begin, you might wonder what is a DKIM selector?

In short, a selector is specified as an attribute for a DKIM signature and is recorded in the DKIM-Signature header field. A selector can be anything you want, such as a word, number, or a string of letters and numbers.

For example, if you choose james3 for your selector, the DKIM record name would become james3._domainkey

Generate RSA Key Pair for DKIM

You can use tools such as openssl or ssh-keygen to generate RSA keys.

Please note that 1024 bit DKIM is still the standard. If you want to feel safer with 2048-bit RSA, check with your DNS provider and see what length of DKIM key is supported because they need to match.

Generate a 1024 bit RSA Key:

$ openssl genrsa -out private.pem 1024

Export the RSA Public Key to a file:

$ openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Both generated files are base64-encoded encryption keys in plain text format:

Beside above steps, online tools such as DKIM Wizard can help you easily create a public and private key pair to be used for DomainKeys and DKIM signing.

Create DKIM TXT record

Record Type: TXT Record
Host Name: james3._domainkey
Text: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD[...Your Public Key...]

Configure DKIMSign mailet

Lastly, you need to add a maillet to the mailetcontainer.xml in the /conf file of Apache James.

[...]
<processors>
  <processor state="relay" enableJmx="true">
    <mailet match="All" class="org.apache.james.jdkim.mailets.DKIMSign">
      <signatureTemplate>v=1; s=james3; d=domain.example.com ; h=from : reply-to : subject : date : to : cc : resent-date : resent-from : resent-sender : resent-to : resent-cc : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; a=rsa-sha256; bh=; b=;</signatureTemplate>
      <privateKey>
      -----BEGIN RSA PRIVATE KEY-----
      [Your Private Key]
      -----END RSA PRIVATE KEY-----
      </privateKey>
    </mailet>
  </processor>
</processors>
[...]

Verifying DKIM Record

To query the DKIM key, you will have to know the DKIM selector:

$ dig txt james3._domainkey.domain.example.com
; <<>> DiG 9.16.1-Ubuntu <<>> txt james3._domainkey.domain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39673
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;james3._domainkey.domain.example.com IN TXT

;; ANSWER SECTION:
james3._domainkey.domain.example.com. 0 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD[...Your Public Key...]"
[...]

James Enterprise Mail Server

Emails at the heart of your business logic

What is a DKIM Record?

Generate RSA Key Pair for DKIM

Create DKIM TXT record

Configure DKIMSign mailet

Verifying DKIM Record