A custom DKIM (DomainKeys Identified Mail) signature is an email authentication method that allows senders to digitally sign their outgoing emails using their own domain's private key, rather than relying on a shared key provided by their email service provider (ESP). This process enhances email deliverability and sender reputation by verifying the authenticity of the sender and ensuring message integrity.
Key findings
Definition: A custom DKIM signature uses asymmetric cryptography, employing a private key to sign outgoing emails and a corresponding public key published in the sender's DNS records for verification by recipient mail servers.
Authentication: It serves as a digital signature, allowing receivers to confirm that an email was indeed sent by the claimed domain and that its content has not been tampered with in transit. This helps prevent spoofing and phishing attacks.
Control: Implementing a custom DKIM signature gives domain owners greater control over their email authentication, as opposed to using a generic signature shared by many users of an ESP. You can learn more about this difference by reading our guide on how individual versus shared DKIM affects deliverability.
Integration: ESPs typically provide the necessary instructions for adding the DKIM public key as a TXT record to your domain's DNS zone.
Deliverability: Using a custom DKIM signature helps mailbox providers differentiate your email stream from others, which can significantly improve email deliverability and inbox placement.
Universal signing: Ideally, all outbound emails from your domain should be DKIM-signed to ensure consistent authentication and build a reliable sending reputation.
Mail stream segmentation: For enhanced deliverability and reporting, consider using different custom DKIM signatures for distinct types of email streams (e.g., transactional, marketing, corporate). This helps receivers differentiate and assign reputation to each stream independently.
Domain preference: While using an ESP's shared domain for DKIM is an option, using your own domain with a custom signature is always preferable for stronger brand alignment and deliverability benefits.
DNS management: Properly adding and managing the DKIM record in your domain's DNS zone is crucial for successful implementation. Ensure the record is correctly formatted and published.
Email marketers frequently encounter questions about custom DKIM signatures, often from a perspective of practical implementation and impact on campaign performance. Their primary concerns revolve around how custom DKIM affects deliverability, branding, and the ease of setup within their existing email platforms.
Key opinions
Impact on deliverability: Marketers often seek confirmation that a custom DKIM signature directly translates to better inbox placement and improved email deliverability.
Authentication clarity: There's a strong desire to understand how DKIM helps mailbox providers (MBPs) distinguish their email traffic from others, particularly when using a shared ESP infrastructure.
Scope of 'mail stream': Marketers sometimes inquire if email authentication mechanisms like DKIM apply to all emails sent from their domain, or if it's campaign-specific.
Segmentation strategy: They often ask whether different types of emails (e.g., autoresponders vs. marketing) within their organization should each have their own custom DKIM signature.
Brand integrity: A key motivator for custom DKIM is maintaining brand consistency and trust by ensuring emails appear to originate directly from their domain.
Key considerations
ESP configuration: Understanding the specific steps provided by their ESP to add the necessary DNS records is a practical hurdle for many marketers. Our resource on best practices for setting up SPF, DKIM, and DMARC can assist.
Holistic view: For comprehensive email authentication, marketers should consider how custom DKIM integrates with other protocols like SPF and DMARC. This integration is crucial for maintaining a strong sender reputation.
Reputation management: A single custom DKIM signature is generally sufficient for one sending domain, but a large organization with multiple brands or distinct sending purposes might benefit from multiple signatures to segment reputation.
Clarifying confusion: It is important to clearly understand what a custom DKIM signature entails to avoid confusion and properly leverage its benefits for email programs, especially when seen in platforms like Marketo.
Marketer view
Marketer from Email Geeks inquired about the meaning of seeing a 'custom DKIM signature' notification within their email platform (Marketo), indicating a lack of familiarity with the concept.
07 Oct 2020 - Email Geeks
Marketer view
Marketer from Email Geeks asked if using a custom DKIM signature would lead to improved email deliverability, highlighting the core interest in practical benefits.
07 Oct 2020 - Email Geeks
What the experts say
Industry experts consistently emphasize the critical role of DKIM in email authentication and deliverability. Their insights often delve into the technical mechanisms, the strategic benefits for sender reputation, and best practices for implementation, particularly concerning custom signatures.
Key opinions
Core function: Experts define DKIM as an email authentication mechanism that enables senders to apply a digital signature, associating it with a specific domain name for verification.
Cryptographic basis: The process relies on asymmetric cryptography, where a private key signs emails and the public key, published in DNS, is used by recipients for verification.
Universal signing recommended: It is generally advised that all outbound emails be DKIM-signed to ensure consistent authentication and build a strong domain reputation.
Custom DKIM preference: Using your own domain for DKIM signing (a custom DKIM signature) is highly recommended over relying on an ESP's shared domain, as it provides better differentiation and control.
Deliverability benefit: Custom DKIM helps mailbox providers distinguish and assign reputation to your specific email traffic, which directly contributes to improved deliverability rates.
Segmentation for clarity: For organizations with diverse email streams (e.g., corporate, marketing, transactional), using different custom DKIM signatures can help receivers better understand and categorize the nature of the emails, aiding in reputation management. This is also known as DKIM selector management.
Key considerations
DNS setup: The public key must be correctly added to the domain's DNS zone as a TXT record for DKIM verification to function.
Mail stream definition: The 'mail stream' refers to all outbound emails originating from your domain, regardless of their purpose or campaign.
Strategic segmentation: While segmentation by email type (e.g., transactional vs. marketing) is beneficial, it's particularly useful for very large email programs with multiple distinct brands or sending domains. If you're a smaller sender using a single domain, one custom DKIM signature for all emails is often sufficient.
Avoiding blocklists: Proper DKIM implementation, alongside SPF and DMARC, is crucial for preventing your emails from being flagged as spam or landing on a blocklist (or blacklist). These authentication methods signal trustworthiness to receiving servers, helping to preserve your sender reputation.
Expert view
Expert from Email Geeks clarified that the 'custom DKIM signature' message likely indicates the domain is using its own DKIM key rather than an ESP's shared key.
07 Oct 2020 - Email Geeks
Expert view
Expert from Email Geeks explained DKIM as an email authentication mechanism that enables a sender to apply a digital signature and associate it with a domain name.
07 Oct 2020 - Email Geeks
What the documentation says
Official documentation and technical guides provide detailed insights into the functionality, implementation, and best practices surrounding custom DKIM signatures. They highlight its role in email authentication, fraud prevention, and ensuring message integrity during transit.
Key findings
Mechanism: DKIM functions by adding an encrypted digital signature to email headers. This signature is then verified using a public key published in the sender's DNS, ensuring the email's origin and integrity. For more details on selectors, see a practical guide to DKIM selector name examples.
Purpose: Its primary purpose is to stop email spoofing and prevent phishing attacks by validating the sender's identity through cryptographic signatures.
Digital signature: DKIM works like a digital signature, inserting a code into the email header that is subsequently encrypted and checked by the recipient server. Mailjet offers easy steps to set up DKIM.
DNS record: The DKIM selector within the email header helps the recipient's mail server locate the corresponding public key stored in the DNS TXT record for validation.
Combined authentication: DKIM is a key component of a comprehensive email security strategy, working in conjunction with SPF and DMARC to enable email providers to authenticate on behalf of domain owners.
Verification process: When an email is received, the recipient server uses the published public key to verify the encrypted signature in the email header, ensuring the message's authenticity and that it has not been altered.
Key considerations
Consistency: All emails sent from a domain should ideally be DKIM signed to provide consistent authentication signals to receiving servers and improve overall deliverability. This also helps with turning on DKIM for domain reputation.
Record publishing: The DKIM public key must be correctly published in the domain's DNS as a TXT record. Incorrect setup can lead to authentication failures.
Protection against forgery: DKIM protects against forgery, spoofing, and phishing attacks by providing a verifiable link between the email and the sending domain.
Sender trust: Successful DKIM authentication builds trust with recipients and helps mailbox providers recognize legitimate senders, aiding in inbox placement over the spam folder.
Technical article
Documentation from Mailgun states that DKIM (DomainKeys Identified Mail) is an email authentication protocol that validates the true sender of a message using encrypted signatures, preventing email spoofing.
10 Aug 2023 - Mailgun
Technical article
Documentation from Email on Acid clarifies that DKIM authentication involves digital signatures to prevent phishing attacks such as email spoofing.