Record Existence

DKIM is a way to authenticate email to prevent forged email from being sent from your domain. When you send email using this method, you cryptographically sign the email with your private key. The receiver can verify that this cryptographic signature is valid by using the public key that you publish via a DNS record.

The DNS record with your public key is a specially formatted TXT record. When using a 3rd party email provider, you implement DKIM by making some DNS CNAME records that point from your domain to your provider. They should handle the rest. For example, if you use Amazon SES, you would add three CNAME records that look something like this (the letters in front will be specific to your domain):

abcdefg._domainkey.example.com CNAME abcdefg.dkim.amazonses.com
hijklmn._domainkey.example.com CNAME hijklmn.dkim.amazonses.com
opqrstu._domainkey.example.com CNAME opqrstu.dkim.amazonses.com


When a receiver gets an email from your domain, they will fetch the CNAME record that is specified in the email. Then they will fetch the DKIM TXT record from your provider and verify the signature.

DKIM fixes most of the problems with SPF. However, there is one weakness in DKIM. It is vulnerable to a "replay attack". If a malicious actor is able to see a copy of an email as it whizzes around the internet, they can use the cryptographic signature in that email to send a duplicate email with some modifications. Since this modified email has a valid signature it will pass the validation. A newer standard called DMARC aims to fix this problem.

To learn more about DKIM and other email authentication mechanisms, please read our article on Best Practices for Sending Email.