Domain Keys Identified Mail (DKIM) is a method of email authentication that cryptographically verifies that an email has been sent by trusted servers and has not been tampered with.
This article explains what DKIM and CNAME are, before describing the steps you should follow if the DKIM check fails when you try to add CNAME records to your custom domain in ProtonMail.
How does DKIM work?
When a server sends an email for your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature.
The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, and calculating a new hash based on the email contents it received to see if the decrypted hash matches the new hash. If there is a match, then the email must not have changed, and so DKIM passes. Otherwise, DKIM fails and the email is treated with suspicion.
What are CNAME records?
We recommend ProtonMail users to add three Anti-spoofing records: SPF, DKIM, and DMARC. We use CNAME records to manage automatic DKIM key rotation, which is an accepted security best practice. This ensures there is always an active key used to provide an uninterrupted service while the other keys are automatically retired and recreated on a regular basis for improved security.
Please see Introducing DKIM key management for a more detailed look at this subject.
The CNAME records you add to your domains’ DNS settings must be an exact match with the ones shown in your setup wizard. Once we detect these records in your domain’s DNS settings, the icon for the DKIM tab on the Edit domain setup page will turn green. We will then notify you and start signing outgoing emails from your custom domain with DKIM, just like we do for other ProtonMail addresses.
What to do if the DKIM check fails
There are three possible reasons the DKIM check could fail:
1. You have entered an incorrect CNAME value into your domain’s DNS settings.
This is unlikely if you copy and pasted the values from our Edit domain setup page, but it’s always worth checking. Go to Settings -> Overview -> Manage account (in sidebar to right of page) -> Organization -> Custom domains -> Actions -> Review button -> DKIM tab to see the required values.
The CNAME records you add to your domains’ DNS settings must be an exact match with the ones shown in your setup wizard.
2. Some registrars do not accept CNAME values with a period at the end.
While others require it. If your registrar does not accept your CNAME records with a period at the end, please delete the period at the end of each CNAME value and try again.
3. You have an existing DKIM as TXT record that must be deleted.
If you have previously configured manual DKIM key rotation for your domain using a TXT record, you need to remove this record from the DNS settings before entering the CNAME records. You need to reconfigure your DNS settings with CNAME records because they allow ProtonMail to set up automatic key rotation, while your current TXT record does not.
Once you have deleted this TXT record, you can follow the instructions for new users. DKIM will stop signing your emails once you delete the TXT record. To maintain DKIM protection, you should enter your CNAME Host Names and values into your DNS settings immediately.
We strongly advise everyone who currently uses manual DKIM key rotation to upgrade to the new automatic key rotation system. Not only will this remove the need for you to rotate your keys manually, but it will also automatically upgrade your key strength if you are using 1024-bit keys.