Using DKIM

On this page

DomainKeys Identified Mail (DKIM) is, in short, a way of creating a digital signature in an email. Manipulating the origin is a common technique used when phishing or sending spam to make the email look trustworthy to the recipient. The public key of the DKIM signature is published in a DNS record for the domain. This makes it possible for the recipient to know that it was the owner of the sending domain that also signed the email.

End-users will normally not see if an email has a DKIM signature. This is handled in the background by the email service. If the signature is not valid/exist the email will be rejected, put into a spam folder or marked as a potential fraud.

Use in the Curity Identity Server

The Curity Identity Server supports the use of DKIM and can sign outgoing emails.

Enabling DKIM is done per Email Provider and can only be configured when the type is smtp.

After enablement, DKIM is configured by setting which signing key should be used. The selector is the identifier for the public key for that domain. DKIM allows multiple signing keys for the same domain.

Setting up the DNS record

The public key and metadata are stored in a TXT DNS record. These records allow for free text, making them suitable for DKIM as well as other standards to prove domain ownership or just to provide additional data that should be associated with the domain.

The name of the record would be [selector] + ._domainkey. + [domain]. The result would be something like mail._domainkey.example.com.

The content of the record must contain at least the public key, but other options exist as well.

v=DKIM1; k=rsa; p=MIIBIjANBgkqhk...AB

Here the version (v) is DKIM1, the key type (k) is rsa and the public key (p) starts with MIIBI.


DKIM is supported by the Curity Identity Server and makes sure of the integrity of the email. DKIM is often combined with other techniques like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) for additional email security. These measures are often required to let emails through spam filters.

DKIM allows for various options on what to sign. Refer to the product documentation for information about which parts are signed in the Curity Identity Server.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial

Was this helpful?