OnWealth
Sign in

DKIM (DomainKeys Identified Mail)

Written by: Editorial Team

What is DKIM (DomainKeys Identified Mail)? DomainKeys Identified Mail (DKIM) is an email authentication protocol designed to help prevent email spoofing and ensure that messages are not altered in transit. It allows the recipient of an email to verify that the message was sent by

What is DKIM (DomainKeys Identified Mail)?

DomainKeys Identified Mail (DKIM) is an email authentication protocol designed to help prevent email spoofing and ensure that messages are not altered in transit. It allows the recipient of an email to verify that the message was sent by an authorized sender and that its contents have not been modified. DKIM uses cryptographic signatures to authenticate email messages, adding a layer of trust to email communication.

Email spoofing, a tactic often used in phishing and spam attacks, involves forging the sender's address to make an email appear as if it was sent from a legitimate source. DKIM mitigates this by enabling email servers to verify the authenticity of a message using a digital signature.

How DKIM Works

DKIM operates using a pair of cryptographic keys: a private key used to sign outgoing emails and a public key published via the sending domain’s DNS (Domain Name System) records. When an email is received, the recipient's mail server retrieves the public key from the DNS and verifies the signature against the email’s headers and body.

Step-by-Step Process

  1. Key Generation: The domain owner generates a public-private key pair. The private key remains securely stored on the sending mail server, while the public key is added to the DNS as a TXT record.
  2. Email Signing: When an email is sent, the sending mail server uses the private key to generate a unique DKIM signature. This signature is based on the email’s headers and, optionally, its body. The signature is included in the email's header under the DKIM-Signature field.
  3. DNS Lookup: When the recipient’s mail server receives the email, it extracts the domain from the DKIM signature and performs a DNS lookup to retrieve the public key.
  4. Signature Verification: The recipient’s mail server uses the retrieved public key to verify the DKIM signature. If the signature is valid, it confirms that the message originated from an authorized server and that it was not altered in transit.
  5. Authentication Outcome: If the DKIM verification passes, the email is considered authenticated and is more likely to be delivered to the recipient's inbox. If the verification fails, the email may be marked as spam or rejected entirely, depending on the recipient's mail server policies.

DKIM-Signature Header Components

The DKIM-Signature header contains several important elements:

  • v= Version of DKIM (typically "1").
  • a= Algorithm used for signing, such as rsa-sha256.
  • d= Domain name that signed the email.
  • s= Selector used to retrieve the public key from DNS.
  • h= List of headers included in the signature.
  • bh= Body hash value, ensuring the email content has not changed.
  • b= The actual digital signature.

An example DKIM-Signature header looks like this:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
h=from:subject:date:message-id;
bh=xyz123abc=;
b=MIIBIjANBgkqhkiG9...

DKIM Selectors

A DKIM selector is a label used to differentiate multiple DKIM keys for the same domain. This allows organizations to rotate keys without disrupting email authentication. The selector is specified in the s= tag of the DKIM signature and is included in the corresponding DNS TXT record.

For example, if an organization uses selector1, the public key would be stored in DNS as:

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."

The recipient's mail server uses the selector to find the correct key for verification.

DKIM and SPF

Sender Policy Framework (SPF) is another email authentication mechanism that works alongside DKIM. While DKIM validates the integrity and authenticity of the message, SPF verifies that the sending server is authorized to send mail on behalf of the domain. SPF checks the sender’s IP address against the domain’s SPF record in DNS.

Using DKIM and SPF together enhances email security by preventing unauthorized senders from forging emails and ensuring message integrity.

DKIM and DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds upon DKIM and SPF by defining policies for email authentication failures. A DMARC policy tells recipient servers how to handle emails that fail DKIM or SPF checks.

A DMARC policy can be set to:

  • None (p=none): No action is taken; failures are reported only.
  • Quarantine (p=quarantine): Emails failing authentication are sent to spam/junk folders.
  • Reject (p=reject): Emails failing authentication are outright rejected.

By implementing DKIM with DMARC, organizations can better protect their domain from phishing and spoofing attacks.

DKIM Limitations and Challenges

Despite its effectiveness, DKIM has some limitations:

  1. Does Not Authenticate the Sender’s IP Address: Unlike SPF, DKIM does not verify whether the sending server is authorized to send emails for a domain.
  2. Does Not Guarantee Inbox Placement: Passing DKIM does not ensure that an email will land in the recipient's inbox, as spam filters consider multiple factors.
  3. Requires Proper DNS Configuration: DKIM relies on DNS TXT records, and any misconfiguration can result in failed authentication.
  4. Email Forwarding Issues: Some email forwarding mechanisms may break DKIM signatures if they modify the message content.
  5. Key Rotation Management: Organizations must periodically rotate DKIM keys to maintain security, which adds administrative overhead.

Implementing DKIM

1. Generate DKIM Keys

Organizations can use tools like OpenSSL or their mail provider’s DKIM feature to generate a private-public key pair.

Example command using OpenSSL:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

2. Publish the Public Key in DNS

The public key is added to the DNS as a TXT record. The format typically looks like:

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."

3. Configure the Mail Server

The mail server must be configured to sign outgoing emails using the private key. Most mail providers offer built-in DKIM signing options.

4. Test DKIM Configuration

Tools like DKIMCore, MXToolbox, and Google’s Postmaster Tools can help verify that DKIM is properly set up.

5. Monitor Authentication Results

DMARC reports can provide insights into how DKIM is performing and help detect unauthorized email activity.

DKIM in Practice

Many major email services, including Google, Microsoft, and Yahoo, require DKIM for email authentication. Without DKIM, emails may be marked as spam or rejected outright. Businesses and organizations sending large volumes of email, especially marketing emails and transactional notifications, must implement DKIM to maintain email deliverability.

The Bottom Line

DKIM is an essential email authentication protocol that helps verify message integrity and prevent email spoofing. It works by adding a cryptographic signature to emails, which can be verified using a public key stored in DNS. When combined with SPF and DMARC, DKIM strengthens email security, reduces spam, and improves email deliverability. Proper implementation and monitoring are necessary to ensure its effectiveness in real-world email communication.