Yes, a DKIM (DomainKeys Identified Mail) record is implemented using a TXT record type in your DNS. It's a question I see a lot, and the simple answer is that the DNS system needed a flexible record type to hold the specific text-based information that makes up a DKIM public key.
Fundamentally, a TXT record is just a way to associate a string of text with a domain. While it can be used for various purposes, its role in email authentication is one of its most critical functions today. Protocols like SPF, DMARC, and DKIM all leverage the flexibility of TXT records.
How DKIM uses TXT records
DKIM works on a public-key cryptography model. When you set up DKIM for a sending service, it generates a private key, which it keeps secret, and a public key, which you need to make publicly available. The DNS is the perfect place for this public key, and the TXT record is the tool for the job.
The process looks like this:
- Signature: When an email is sent, the sending server uses its private key to create a unique digital signature. This signature is added to the email's headers.
- Lookup: The receiving mail server sees the email is signed with DKIM. It takes the domain and a special 'selector' from the email header and performs a DNS lookup for a TXT record at a specific address, like selector._domainkey.yourdomain.com.
- Verification: The server retrieves the public key from that TXT record. If the public key can successfully validate the email's signature, it proves the email is authentic and was not tampered with in transit.
Is it ever a CNAME record?
This is where a little nuance comes in. While the record containing the DKIM key itself is a TXT record, some email service providers will ask you to create a CNAME record instead.
A CNAME record is essentially an alias. In this scenario, you create a CNAME record that points from your domain to a domain controlled by your email provider. Your provider then hosts the actual TXT record with the DKIM public key. This makes it easier for them to manage and rotate keys without requiring you to update your DNS records manually each time.
So, even if you are asked to add a CNAME, the final destination of that lookup is still a TXT record. The fundamental mechanism remains the same.
Practical points to remember
When you are creating your DKIM record, you are essentially just copying and pasting a value into the content field of a TXT record in your DNS host's settings. A key thing to be aware of is the character string limit. Most DNS providers limit a single text string within a TXT record to 255 characters.
Since many DKIM keys are longer than this, they must be split into multiple quoted strings within the same TXT record. Most DNS management interfaces handle this automatically for you when you paste in a long key, but it is a common source of validation errors if not handled correctly.
In conclusion, DKIM absolutely uses the TXT record type. It's the standard and correct way to publish the public key required for validation, ensuring your emails are trusted by receiving servers and protecting your domain's reputation.
