What is a custom DKIM signature and what are the benefits and best practices for using it?

Key findings

• Definition: A custom DKIM signature uses asymmetric cryptography, employing a private key to sign outgoing emails and a corresponding public key published in the sender's DNS records for verification by recipient mail servers.
• Authentication: It serves as a digital signature, allowing receivers to confirm that an email was indeed sent by the claimed domain and that its content has not been tampered with in transit. This helps prevent spoofing and phishing attacks.
• Control: Implementing a custom DKIM signature gives domain owners greater control over their email authentication, as opposed to using a generic signature shared by many users of an ESP. You can learn more about this difference by reading our guide on how individual versus shared DKIM affects deliverability.
• Integration: ESPs typically provide the necessary instructions for adding the DKIM public key as a TXT record to your domain's DNS zone.
• Deliverability: Using a custom DKIM signature helps mailbox providers differentiate your email stream from others, which can significantly improve email deliverability and inbox placement.
• Synergy: DKIM works best when combined with SPF and DMARC to form a robust email authentication framework, as explained in this Mailgun guide on understanding DKIM. Consider reading our guide on implementing SPF, DKIM, and DMARC.

Key considerations

• Universal signing: Ideally, all outbound emails from your domain should be DKIM-signed to ensure consistent authentication and build a reliable sending reputation.
• Mail stream segmentation: For enhanced deliverability and reporting, consider using different custom DKIM signatures for distinct types of email streams (e.g., transactional, marketing, corporate). This helps receivers differentiate and assign reputation to each stream independently.
• Domain preference: While using an ESP's shared domain for DKIM is an option, using your own domain with a custom signature is always preferable for stronger brand alignment and deliverability benefits.
• DNS management: Properly adding and managing the DKIM record in your domain's DNS zone is crucial for successful implementation. Ensure the record is correctly formatted and published.

Key opinions

• Impact on deliverability: Marketers often seek confirmation that a custom DKIM signature directly translates to better inbox placement and improved email deliverability.
• Authentication clarity: There's a strong desire to understand how DKIM helps mailbox providers (MBPs) distinguish their email traffic from others, particularly when using a shared ESP infrastructure.
• Scope of 'mail stream': Marketers sometimes inquire if email authentication mechanisms like DKIM apply to all emails sent from their domain, or if it's campaign-specific.
• Segmentation strategy: They often ask whether different types of emails (e.g., autoresponders vs. marketing) within their organization should each have their own custom DKIM signature.
• Brand integrity: A key motivator for custom DKIM is maintaining brand consistency and trust by ensuring emails appear to originate directly from their domain.

Key considerations

• ESP configuration: Understanding the specific steps provided by their ESP to add the necessary DNS records is a practical hurdle for many marketers. Our resource on best practices for setting up SPF, DKIM, and DMARC can assist.
• Holistic view: For comprehensive email authentication, marketers should consider how custom DKIM integrates with other protocols like SPF and DMARC. This integration is crucial for maintaining a strong sender reputation.
• Reputation management: A single custom DKIM signature is generally sufficient for one sending domain, but a large organization with multiple brands or distinct sending purposes might benefit from multiple signatures to segment reputation.
• Clarifying confusion: It is important to clearly understand what a custom DKIM signature entails to avoid confusion and properly leverage its benefits for email programs, especially when seen in platforms like Marketo.

Key opinions

• Core function: Experts define DKIM as an email authentication mechanism that enables senders to apply a digital signature, associating it with a specific domain name for verification.
• Cryptographic basis: The process relies on asymmetric cryptography, where a private key signs emails and the public key, published in DNS, is used by recipients for verification.
• Universal signing recommended: It is generally advised that all outbound emails be DKIM-signed to ensure consistent authentication and build a strong domain reputation.
• Custom DKIM preference: Using your own domain for DKIM signing (a custom DKIM signature) is highly recommended over relying on an ESP's shared domain, as it provides better differentiation and control.
• Deliverability benefit: Custom DKIM helps mailbox providers distinguish and assign reputation to your specific email traffic, which directly contributes to improved deliverability rates.
• Segmentation for clarity: For organizations with diverse email streams (e.g., corporate, marketing, transactional), using different custom DKIM signatures can help receivers better understand and categorize the nature of the emails, aiding in reputation management. This is also known as DKIM selector management.

Key considerations

• DNS setup: The public key must be correctly added to the domain's DNS zone as a TXT record for DKIM verification to function.
• Mail stream definition: The 'mail stream' refers to all outbound emails originating from your domain, regardless of their purpose or campaign.
• Strategic segmentation: While segmentation by email type (e.g., transactional vs. marketing) is beneficial, it's particularly useful for very large email programs with multiple distinct brands or sending domains. If you're a smaller sender using a single domain, one custom DKIM signature for all emails is often sufficient.
• Avoiding blocklists: Proper DKIM implementation, alongside SPF and DMARC, is crucial for preventing your emails from being flagged as spam or landing on a blocklist (or blacklist). These authentication methods signal trustworthiness to receiving servers, helping to preserve your sender reputation.

Key findings

• Mechanism: DKIM functions by adding an encrypted digital signature to email headers. This signature is then verified using a public key published in the sender's DNS, ensuring the email's origin and integrity. For more details on selectors, see a practical guide to DKIM selector name examples.
• Purpose: Its primary purpose is to stop email spoofing and prevent phishing attacks by validating the sender's identity through cryptographic signatures.
• Digital signature: DKIM works like a digital signature, inserting a code into the email header that is subsequently encrypted and checked by the recipient server. Mailjet offers easy steps to set up DKIM.
• DNS record: The DKIM selector within the email header helps the recipient's mail server locate the corresponding public key stored in the DNS TXT record for validation.
• Combined authentication: DKIM is a key component of a comprehensive email security strategy, working in conjunction with SPF and DMARC to enable email providers to authenticate on behalf of domain owners.
• Verification process: When an email is received, the recipient server uses the published public key to verify the encrypted signature in the email header, ensuring the message's authenticity and that it has not been altered.

Key considerations

• Consistency: All emails sent from a domain should ideally be DKIM signed to provide consistent authentication signals to receiving servers and improve overall deliverability. This also helps with turning on DKIM for domain reputation.
• Record publishing: The DKIM public key must be correctly published in the domain's DNS as a TXT record. Incorrect setup can lead to authentication failures.
• Protection against forgery: DKIM protects against forgery, spoofing, and phishing attacks by providing a verifiable link between the email and the sending domain.
• Sender trust: Successful DKIM authentication builds trust with recipients and helps mailbox providers recognize legitimate senders, aiding in inbox placement over the spam folder.