Skip to main content

DKIM (DomainKeys Identified Mail)

DKIM is an email authentication standard that allows you to digitally sign your emails, enhancing security and trust. If you send more than 5,000 messages per day from your domain, large receivers like Gmail and Yahoo! now require that you sign each message with DKIM and adhere to other requirements. These requirements are discussed in the Appendix below.

DKIM Fields

Include these fields in the personalization object to add a DKIM signature:

  • dkim_domain: The domain for the DKIM signature (d=). Should align with the "From" header domain for DMARC compliance.
  • dkim_selector: The selector for the DKIM signature (s=). Specifies the DNS location of the public key.
  • dkim_private_key: The Base64-encoded private key.

DKIM Setup Process

  1. Generate a private key
  2. Create a corresponding public key
  3. Publish the public key in your domain's DNS records
info

Third-party services such as Cloudflare's Email Security DNS Wizard can help you create and store your DKIM key in the DNS.

1. Generate Private Key

openssl genrsa 2048 | tee priv_key.pem | openssl rsa -outform der | openssl base64 -A > priv_key.txt

This creates a 2048-bit RSA key (priv_key.pem) and a Base64-encoded version (priv_key.txt).

2. Generate Public Key

echo -n "v=DKIM1;p=" > pub_key_record.txt && \
openssl rsa -in priv_key.pem -pubout -outform der | openssl base64 -A >> pub_key_record.txt

This creates a public key formatted for a DNS TXT record in pub_key_record.txt.

3. Set Up DNS Record

Add a TXT record for selector._domainkey.yourdomain.com with the content of pub_key_record.txt.

Replace selector with your DKIM selector and yourdomain.com with your domain.

Implementation Example

{
  "personalizations": [
    {
      "to": [{"email": "recipient@example.com"}],
      "dkim_domain": "example.com",
      "dkim_selector": "mcdkim",
      "dkim_private_key": "BASE64_ENCODED_PRIVATE_KEY_HERE"
    }
  ],
  "from": {
    "email": "sender@example.com",
    "name": "Sender Name"
  },
  "subject": "DKIM-Signed Email Test",
  "content": [
    {
      "type": "text/plain",
      "value": "This is a DKIM-signed email test."
    }
  ]
}

To use this example:

  1. Replace BASE64_ENCODED_PRIVATE_KEY_HERE with your actual Base64-encoded private key.
  2. Update the dkim_domain and dkim_selector to match your DKIM setup.
  3. Modify the to, from, subject, and content fields as needed.

You can send this payload to the /send endpoint:

curl -X POST "https://api.mailchannels.net/tx/v1/send" \
     -H "X-Api-Key: YOUR-API-KEY" \
     -H "Content-Type: application/json" \
     -d "@payload.json"

Replace YOUR-API-KEY with your actual MailChannels API key, and ensure the JSON payload is saved in a file named payload.json.

info

Proper DKIM implementation significantly improves email deliverability and reduces the likelihood of your emails being marked as spam.

Appendix: Summary of Gmail's Domain Authentication Requirements

Gmail introduced new email authentication requirements starting in February 2024 to enhance email security and reduce spam. These requirements primarily affect bulk senders who send more than 5,000 emails per day to Gmail accounts, but all senders are encouraged to comply. Here are the key points:

Authentication Requirements

  • SPF and DKIM: Senders must implement both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication methods.

  • DMARC: A Domain-based Message Authentication, Reporting & Conformance (DMARC) policy must be in place, with at least a p=none setting.

  • Alignment: The visible "From" address must align with either the SPF domain or the DKIM domain.

Additional Requirements

  • DNS Records: Valid forward and reverse DNS records for sending IP addresses are required. This is provided by MailChannels automatically.

  • Unsubscribe Option: Bulk senders must provide a one-click unsubscribe link in their emails and honor unsubscribe requests within two days.

  • Spam Rate: Senders should maintain a spam complaint rate below 0.3%, ideally below 0.1%.

  • Email Standards: Messages must strictly comply with RFC 5322 - Internet Message Format.

By implementing these authentication measures, Gmail aims to create a more secure email environment, reduce spam, and protect users from phishing and other malicious activities.