Domain Keys Identified Mail and DomainKeys: Third in 3-Part Series on E-Mail Authentication - Page 2

Sender configuration options

There are a number of variables that must be considered when setting up DKIM for outbound e-mail. Most of these will be discussed in the documentation for your selected implementation, but we'll highlight a few here as well. There are four main choices to make:

1. What encryption algorithm to use - You should use the rsa-256 encryption algorithm recommended by the DKIM specification.

2. What size encryption key to use - Large keys are more secure, but they may also negatively impact performance. The specification recommends a key of at least 1,024 bits.

3. Which parts of your e-mail to sign - In general, you should follow the recommendation in the specification of which headers to include in the signature. In general, you want to include headers that you want to protect (for example, the To, Subject, From, Sender and Date headers) and NOT sign headers that are likely to change during normal processing.

4. The name under which each key record is stored - Key record names include a configurable prefix called a selector that must be unique for each key. This enables domains to use different keys for distinct categories of e-mail (for example, marketing e-mail and corporate e-mail might have different keys), and it also enables periodic replacement of keys to minimize the risk of compromised security.

A DKIM signature provides all of the above configuration information, as well as the signature itself, to the receiver. Here's an example:


A corresponding key record might look like this: