DKIM Explained

What is DKIM?

DKIM (DomainKeys Identified Mail) is a tool for domain owners to digitally sign their emails. By adding a DKIM signature to outgoing emails, receiving mail servers can verify that the email was indeed sent by an authorized sender for that domain and that the email content has not been tampered with during transit. This helps to prevent email spoofing and phishing attacks.

DKIM Record

DKIM records are published as TXT records in your domain's DNS using a selector. Each key gets its own selector. As an example, this is a selector from google belonging to example.com, accessible at google._domainkey.example.com:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtmKI514qtdqioxRnnONfX6aeDtepubwJP+nwuvNjnw8JRrVXqxaBpiQxN0Ngqm3Tr4fPkEVMdySnQX5mTMo/hUTQXAKromYgf1N2SnYy8EpA6I32ADoPDRSRl6R/3oqB+NlET2dGwU7cBHABBLBp+N2j8TVYPbi9Vw2OogClpBFDU8I3hIXz5L2gKM3fuDl8kGLS1P8pVbCTgq11IwBWLd47KEEWI3dH8Cva5hZcBsmRGoB80pySex5tee7DYVA/QFAuHGXAcnhfenMkAZlrPdlxVaUcUveFJqnkAEL7Bv5bSGQu8WrVsfXg6ifR2Hdk4DOuXZcYZNoG1RIINeezwIDAQAB

The above DKIM record specifies the version (v=DKIM1), key type (k=rsa), and the public key (p=...) used to verify the DKIM signature.

How DKIM Works

  1. Install DKIM: Any email server that wants to send signed emails on behalf of your domain needs to have DKIM signing enabled. The server generates a public/private keypair and gives you the public key to publish in your DNS as a DKIM record.
  2. Sign Emails: When an email is sent from a domain with DKIM configured, the sending mail server generates a unique DKIM signature using the private key. This signature is added to the email header as a DKIM-Signature field.
  3. Verify Signature: When the receiving mail server gets the email, it checks for the DKIM-Signature header. It retrieves the public key from the sender's DNS DKIM record using the selector specified in the signature. The server then uses this public key to verify the DKIM signature. If the signature is valid, it confirms that the email was sent by an authorized sender and that the content has not been altered.

Recommended Articles