# What Is a DKIM Record and How Email Signing Works

#### WHAT IS THE DKIM RECORD?

DKIM is the abbreviation for DomainKeys Identified Mail. DKIM is not really a spam protection technology, it’s a cryptographic signature that our mail server (that is, not our own machine) digitally signs on sending, protecting it against unauthorized modifications. Spam protection will take effect if you enter a rule in the domain TXT record so that the host server will dismiss all unsigned mails to protect the (as all unsigned emails are, as a rule, fake). This is useful if few users only email through 1-2 servers.

<p class="callout info">Signatures with the DKIM key are executed by the sender server.</p>

DKIM signature is usually invisible to average users.

#### QUERYING DKIM RECORD

For example, you can use the nslookup command in Windows to access record DKIM, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=TXT staff._domainkey.dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
staff._domainkey.dotroll.com    text =

        "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMGy34jPh1A9JPiDN+fHGuLPf0Kb0U752RW8UZti9F4/6BHZVm1aYCNG+QZfy4RAdYTW2uyajuQKigzNemNgAmm6FOEerc+pUFI3CFI3+KzkFcjErSPL6oeZYp1Gs43j3nYb0MJWJttFJZkKKLplPAKq4HccE52Uk3fs+qo4c9UQIDAQAB"
```

Example of Linux based host query:

```
host -t TXT staff._domainkey.dotroll.com
staff._domainkey.dotroll.com descriptive text "k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMGy34jPh1A9JPiDN+fHGuLPf0Kb0U752RW8UZti9F4/6BHZVm1aYCNG+QZfy4RAdYTW2uyajuQKigzNemNgAmm6FOEerc+pUFI3CFI3+KzkFcjErSPL6oeZYp1Gs43j3nYb0MJWJttFJZkKKLplPAKq4HccE52Uk3fs+qo4c9UQIDAQAB"
```

#### DKIM RECORD FORMAT

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-fields-name-descript"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper"><table><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>v=</td><td>set to the record type, the value will typically be `DKIM1`. Required element.</td></tr><tr><td>k=</td><td>specifies the type of generated key, which can be `dsa` or `rsa`. Required element.</td></tr><tr><td>g=</td><td>you can enter the detail of the key. Not required element.</td></tr><tr><td>h=</td><td>an authorized HASH algorithm that can be any `SHA1` or `SHA256`. Not required element.</td></tr><tr><td>n=</td><td>can be added a comment. Not required element.</td></tr><tr><td>s=</td><td>define the service type. Not required element.</td></tr><tr><td>t=</td><td>the given key can be assigned to a single subdomain name. Not required element.</td></tr><tr><td>p=</td><td>you can enter the public key part of the generated key pair. Required element.</td></tr></tbody></table>

</div></div><div class="vc_message_box vc_message_box-standard vc_message_box-rounded vc_color-info vc_custom_1597751119274"><div class="vc_message_box-icon">  
</div><div class="ricsi info">Some service providers limit the length of the TXT record in 255 characters. If the received DKIM key is longer than 255 characters, the key can be truncated.</div></div></div></div></div></div>For example, the following DKIM key length is 411 characters:

```
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDv2kr5/XYYmYzy1ynCe25/2AYsLaQtZMvKoXsa1W1qgFfKFKmMw6vhcuLkII8FA8gJG18p9wwoXoP5wNZZOC02u9rrgoZt8FsuQmO6b/QJKNSuHEECr6hVD+H9C9zS9ThuQk2qa3RtVO6apHCcw/DLpQ1DN14kNd7URNQlGZLKFgblGI1NwaCOLvUgqpFP/hOzk5veqG2qh50krPLrg6Lzjvd4pLx/5+n87yvLXian3ZAjcVZ1IqT9O7UQtPu1mwPbjBH+odpc6xF3ZUFUoHLDpgxYmwW3z7lD7vTLErgkhxpzEl1+xQwYKG8IM/ryO85cZ4ADRX7fqj/QUi1mzGwIDAQAB;
```

In this case, the key must be divided into two sections where the first part will be 254 characters long while the second part will contain the remaining 156 characters:

```
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDv2kr5/XYYmYzy1ynCe25/2AYsLaQtZMvKoXsa1W1qgFfKFKmMw6vhcuLkII8FA8gJG18p9wwoXoP5wNZZOC02u9rrgoZt8FsuQmO6b/QJKNSuHEECr6hVD+H9C9zS9ThuQk2qa3RtVO6apHCcw/DLpQ1DN14kNd7URNQlGZLKFgblGI1NwaCOLvUgqpFP/"

"hOzk5veqG2qh50krPLrg6Lzjvd4pLx/5+n87yvLXian3ZAjcVZ1IqT9O7UQtPu1mwPbjBH+odpc6xF3ZUFUoHLDpgxYmwW3z7lD7vTLErgkhxpzEl1+xQwYKG8IM/ryO85cZ4ADRX7fqj/QUi1mzGwIDAQAB"
```

The DNS management interface can then be added, so that the subdomain name is given in the domain / subdomain box:

```
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=..."
default._domainkey 14400 IN TXT "hOzk5ve..."
```

#### ADDING DKIM RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **DKIM** from the next drop-down list.
    - set the desired values
6. Then click **Save Changes**.