DKIM (DomainKeys Identified Mail) Explained: Definition and Significance

DKIM, which stands for DomainKeys Identified Mail, is a digital solution for organizations to provide trustworthiness of their communications with their staff members, customers or partners. It is achieved by appending a digital signature to the message header to comfirm that the message was sent by a ligitimate source and has not been altered in transit. The signature is then validated in DNS (Domain Name System) by the receiving mail server. The sender should keep a record with the public key in DNS, which allows the receiving mail server to confirm the legitimacy of the message using the key and deliver it seamlessly to the recipient's inbox. This way, the process of email transit becomes reliable and secure. Thus, DKIM becomes a solid protection against email spoofing, phishing and spam.

DKIM Signature: What It Means and What It Looks Like

A DKIM signature is a cryptographic string of characters that is attached to the header of an email message. It is generated using the sender's private key and is verified by the receiving mail server using the sender's public key stored in the DNS record.

Its purpose is to ensure the integrity of the message and to verify that it has not been tampered with during transit. The recipient's server checks the signature containing the information about the domain name, and other data and matches it with the public key. In case of the match, it proves to be valid, which means that the email has not been altered and that it was indeed sent by the claimed domain.

How Is a DKIM Signature Generated?

The process of generating a cryptographic signature includes several steps:

  1. First, the sender's mail service creates a cryptographic hash of email content including the message body, headers, and attachments.
  2. Then, the service encrypts the hash using the sender's private key to create a DKIM signature.
  3. Finally, it is attached to the email header as a specific field, along with other DKIM-related information.

What Does a DKIM Signature Look Like?

A digital signature is a long string of characters that is typically represented as a series of alphanumeric characters and special symbols. It appears as a distinct field within the email header and is enclosed in angle brackets (< >) to differentiate it from other header fields. It contains various parameters and values.

Here is a sample model structure of the signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1;
bh=abcdef1234567890; b=ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210;

In this example:

DKIM signature example.
TagTag descriptionPossible values
v version of DKIM being used version 1
a algorithm being used to create hash rsa-sha256
c canonicalization method used
for the message body and headers
simple (doesn't allow any changes in the email header or body)
or relaxed (allows for minor changes in adjusting whitespaces,
header lines, header fields etc.)
In our example, it's relaxed/relaxed
s selector, which is a unique identifier
for the specific DKIM key record
(associated with the domain)
h lists the headers included in the
signature calculation
In our example, it includes From, To, Subject, Date,
MIME-Version, and Content-Type
bh represents the hash value of the email's
relevant components
(body, headers, etc.)
abcdef1234567890 as an example
b contains the encrypted hash value, generated
using the sender's private key
(the signature itself)
In our case, it is ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210


DKIM record: Introduction, Components and Check

To apply DKIM, organizations need to generate and register its record in DNS. It is a TXT record containing all-important information about the settings for a particular domain, including the sender's public key. By means of a DNS record check, the receiving mail server can easily validate the authenticity of the incoming messages.

Here is a DKIM record example and the breakdown of the components: IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX5lG3Wgs7kG4zZyfO0QrXYrKTB9ZM3d7Ua0lr5W6ZG3nS9pOkfGm7dTyJqDDK0zzc7UTQpjxKuY5HxRCc8D0nIjTF0cHKfB2EnH0fl2xu/1tORcPl2sqrDF7Hwti+jHDjbyXMbDVo9KkSNps/8crTouOmrTqgZ+PbLwIDAQAB"
DKIM record example.
Tag valueInterpretation
v=DKIM1 specifies the version being used,
which is version 1
k=rsa indicates that the encryption algorithm
used for the signature is RSA
This is the public key associated with
the signature. It is the part used
by recipients to verify the signature
of the incoming emails.

DKIM Authentication Process

When an email is sent with DKIM enabled, the sending service attaches a digital signature to the message header. The signature includes encrypted values of message parts, such as body, headers, and attachments. To verify the DKIM signature, recipients can perform a series of steps:

  1. Retrieve the sender's DKIM record from the DNS.
  2. Extract the public key from the record.
  3. Calculate the signature by hashing the relevant email components.
  4. Compare the calculated signature with the one in the email header.
  5. If the signatures match, the email passes DKIM verification.
DKIM signature verification processLayer 1 mail service public key sender's signature verification with public key recipient's email server DNS server ------- VERIFIED authentication failed the message is rejected ------- recipient's email service mail service an email with DKIM signature in its header mail service sender's email service

As a result of successful signature verification, recipients can be sure of the authenticity and integrity of the email, mitigating the chances of phishing attacks and email forgery.

However, in case of verification failure, the possible scenarios for an email can be as follows:

  • the message can be marked as spam when its legitimacy can not be confirmed;
  • quarantined or blocked: this is often done to protect users from potential phishing attempts or forged emails;
  • redirected to junk instead of the recipient's inbox;
  • display warning or flag: this alerts the recipient to exercise caution and suggests that the message's authenticity is questionable.

The exact consequences of verification failure can vary based on the policies established by an email service provider and the recipient's individual settings. It's important to note that a failed DKIM verification may result in a diminished reputation for the sender, reduced deliverability rates, and a higher likelihood of the message being treated as suspicious or potentially harmful.

Combination of DKIM, SPF, and DMARC to Enhance Email Security

The use of DKIM significantly increases chances to avoid potential actions of malicious character over emails, contributes to smooth and successful communication. To enhance email security there are two more mechanisms applied safeguarding online communication - SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance).

To protect its reputation and ensure the deliverability of its emails, an organization can provide an SPF record in DNS with the list of authorized domain names and IP addresses. By checking this record the recipient's server will verify the authenticity of the message source. An SPF record provides additional data protection by confirming the legitimacy of the sender.

DMARC is a policy for such authentication mechanisms as mentioned above which defines the rules of emails identification and determines further actions on suspicious messages with possible scenarios described above.

Overall, DKIM plays a vital role in ensuring the trustworthiness, integrity, and security of email communications. By implementing DKIM alongside SPF and DMARC, organizations can significantly reduce the risks posed by malicious activities, enhancing the protection of their email ecosystem.

Frequently asked questions

Other Questions Related to DKIM

How can I generate a DKIM key?

An easy way to do this is to use various tools and services available online. These tools help generate cryptographic keys — a private key created for signing outgoing messages and a public key for signature verification by a recipient.

How does DKIM authentication enhance email security?

The security of your online communication is achieved by providing recipients with a means to verify the authenticity of incoming messages. It helps prevent email forgery, phishing attacks, and tampering, thereby increasing trust and reducing the risk of malicious activities.

How can I verify the DKIM signature of an email?

To verify the digital signature of an email, you need to retrieve the sender's DKIM record from the DNS. Extract the public key from it and calculate the signature using the relevant message components. Compare the calculated signature with the one in the message header. If the signatures match, the DKIM signature is valid.

See also:

Consider the possibility of tracing the route that a message passes through on its way to a recipient. This will help you understand complex processes of email transmission and keep safe from unwanted or junk mail. Our Email Headers Analyzer makes this manipulation simple but informative. It allows to trace and display the list of servers involved in the process of transmission with their IP addresses and domain names, and gather as much additional information as possible.