Understanding DKIM (DomainKeys Identified Mail)

Rajat K

Rajat K

New member
May 28, 2025
6
0
1
DKIM (DomainKeys Identified Mail) is an email authentication method/protocol used to verify that an email message was sent by the domain it claims to be from. It ensures that the message has not been tampered with during transit.

DKIM allows a sender's email server to digitally sign outgoing emails using a private key. The recipient's email server retrieves the sender's public key from the DNS records to verify the signature that was created with the sender's private key.

DKIM verifies that the domain in the email’s "From" field is authorized to send emails.

How it works?
  1. Key Generation:
    • The domain owner generates a key pair: a private key (kept secure on the email server) and a public key (published in the sender domain’s DNS).
  2. Signing Outgoing Emails:
    • When an email is sent, the email server selects specific headers (like From, To, Subject, etc.) and the body of the email.
    • It then creates a hash of these components and signs the hash using the private key. This creates a DKIM signature that is added to the email in a special DKIM-Signature header.
  3. Public Key Lookup:
    • When the email is received by the recipient’s mail server, it looks for the DKIM-Signature header.
    • The recipient’s server extracts the selector and domain from the signature.
    • The recipient’s server uses the selector and domain to query the sender’s DNS records for the public key.
  4. Verification:
    • The recipient’s server computes a hash of the email’s body and headers (just like the sending server did).
    • It then compares the computed hash with the hash stored in the DKIM Signature header. If matched, the email is authentic
How to configure DKIM:
  • Most email platforms (e.g., Google Workspace, Microsoft 365, SendGrid) will provide a way to generate a DKIM key pair.
  • This includes:
    • Private key: Stored on your email server/email sending platform, used to sign outgoing emails.
    • Public key: Published on the sender domain's DNS records
    • You need to publish the public key in your DNS as a TXT record.
  • After publishing, the record will look something like (selector._domainkey.yourdomain.com)
  • Selector tells the recipient mail servers where they should look for the public key in DNS.
  • If the signature matches, the email is valid; if not, it’s flagged.
  • After setting up DKIM, you can use DKIM lookup tools to verify your DKIM records and ensure they are working correctly.
Key DKIM parameters and their breakdown:

A typical example of DKIM looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=selector1; h=from:to:subject:date; bh=abc123=; b=xyz456=

v=1 - Version (usually 1 for DKIM)
a= - Algorithm used for signing
c= - canonicalization method
d= - domain signing the message
s= selector
h= list of headers included in the signature
bh= Hash of the email body (base64 encoded).
b= The actual digital signature (base64 encoded).
t= Signature timestamp (Optional)
x= Signature expiration (Optional)

Free Tools to Lookup and Validate DKIM Records
Why is DKIM Essential
  • Email Deliverability: Email providers treat emails that are not signed with DKIM as spam and reject them.
  • Security: It prevents unauthorized parties from sending fraudulent emails on your behalf, helping protect against phishing and business email compromise (BEC).
  • DMARC Enforcement: DKIM is necessary for full compliance with DMARC, which further strengthens email security.
 
You must log in or register to reply here.
Top Bottom