Yes, absolutely. The DKIM (DomainKeys Identified Mail) verification process is entirely dependent on performing a DNS lookup. Without a DNS lookup, a receiving mail server would have no way to find the public key required to verify an email's signature. It's a fundamental part of how DKIM is designed to work.
Think of it like this: DKIM attaches a digital signature to your emails. This signature is created using a secret, private key. To check if that signature is valid, the receiver needs the corresponding public key. The public key isn't sent with the email; instead, it's published in your domain's DNS records, where anyone can find it. This is where the DNS lookup becomes essential.
How the DKIM verification process uses DNS
When you send an email with DKIM enabled, your sending mail server uses a private key to generate a unique signature. This signature is added to the email's headers in a field called DKIM-Signature. When the email arrives at its destination, the receiving server kicks off the verification process.
The process follows these general steps:
- Reading the header: The receiving server reads the DKIM-Signature header to find two crucial pieces of information: the signing domain (specified in the d= tag) and the selector (the s= tag).
- Constructing the query: It combines the selector and the domain to form a specific DNS hostname. For example, if the selector is google and the domain is example.com, it will look for a record at google._domainkey.example.com.
- Performing the DNS lookup: The server then queries the DNS for a TXT record at that specific hostname.
- Verifying the signature: If a record is found, it will contain the public key. The server uses this key to check the email's signature. If the signature is valid, DKIM passes. If not, it fails.
The structure of a DKIM DNS record
The DNS record that holds the public key is a simple TXT record. This is a deliberate design choice to use existing, well-established DNS infrastructure. As the official RFC 6376 for DKIM specifies, the only defined query type for DKIM is 'txt'.
Inside this TXT record, you'll find a series of tags. The most important ones are:v=DKIM1, which specifies the version; k=rsa, which indicates the key type (usually RSA); and p=, which contains the actual public key data. The selector allows a domain to have multiple DKIM keys, which is useful for key rotation or for allowing different email service providers to send on your behalf, each with their own unique signature.
What happens when a DKIM DNS lookup fails?
If the receiving server cannot perform the DNS lookup successfully, the DKIM check cannot be completed. This will almost always result in a DKIM failure. This can happen for a few common reasons:
A failure doesn't necessarily mean the email will be blocked outright, but it removes a critical layer of trust. When combined with DMARC, a DKIM failure can instruct the receiving server to quarantine or even reject the message. Therefore, ensuring your DKIM records are correctly published in DNS is vital for good email deliverability.
