>

Glossary Home

What will I learn?

  1. What is DKIM?
  2. What is the purpose of DKIM?
  3. How does DKIM work?

Related Content

Glossary Home

DKIM (DomainKeys Identified Mail)

What is DKIM?

DKIM, or DomainKeys Identified Mail, is an email authentication protocol that helps verify if an email message was altered during transit between the sender and the recipient. DKIM works by attaching a digital signature to the source code of the email. On receiving the email, the recipient server will verify the signature. If confirmed that the signature matches the one on the email, it verifies that the email message has not been tampered with.

What is the purpose of DKIM?

The primary purpose of DKIM protocol is to ensure the integrity of an email by providing a way to verify if the message was tampered with, but the benefits of DKIM are multi-layered. Here is how DKIM helps email senders.

Email integrity verification

The DKIM signature helps identify if the email message or the associated information has been tampered with. This verifies the integrity of the email received.

Sender verification

A DKIM signature includes the domain name of the email sender. During the DKIM verification, receiving servers verify if the sender's domain matches the domain included in the signature. This helps to prevent spoofing attacks where an unauthenticated sender is claiming the domain owner's identity.

Better deliverability

Having a DKIM protocol in place helps your email pass spam filters better because a DKIM signature is often viewed as proof of authenticity. It also helps build a better reputation for your domain in the long term. A combination of both these factors can help improve your deliverability.

How does DKIM work? 

DKIM uses public-key cryptography to sign an email that can then be verified by the recipient server to determine if the email was tampered with during transit. This means that a public key/private key combination is used to generate and verify the signature. Here’s the process step-by-step.

The sender's end

  1. The sender identifies what information they want to include in the DKIM signature. This often includes the From address, body, and subject.
  2. A hash code is created from this information.
  3. The sending ESP possesses the private key securely in its server. This private key is used to encrypt the hash code.
  4. This encrypted code is included in the DKIM signature attached to the source code of the email.
  5. The email is then sent.

The receiver's end

A DKIM signature looks like this:  
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=dkim1; i=@example.com; t=1678886400; x=86400; bh=r4vUjJ8uH3yF2+wE1f3Jqg4j5k0K5q8O4m2+vM5w0=; h=From:To:Subject:Date:Message-ID:List-ID; b=R6wzWqI2Xp3Tj8P6q5Y9Jq1k7oQ8m2e5P4r6U0w=

  1. On receiving the email, the recipient server uses the domain “d” and selector “s” fields to obtain the public key stored as a DNS record.
  2. This public key is used to decrypt the signature to obtain the original hash code.
  3. The signed headers “h” field tells the recipient what information (From address, body, subject) has been included in the hash. Using this, the recipient server creates a hash code of the relevant information in the received email.
  4. The original hash code obtained by decrypting the signature and the new hash code generated by the recipient server are compared.
  5. If both the codes match, it means that the email has not been tampered with. Even the slightest alteration to the relevant fields will cause the hash codes to mismatch.