Deep DNS Logo

What is DKIM?

An explanation of DomainKeys Identified Mail (DKIM).

Deep DNS TeamOctober 23, 20253 min read

What is DKIM (DomainKeys Identified Mail)?

DKIM, or DomainKeys Identified Mail, is another critical email authentication method that works alongside SPF to enhance email security and combat email spoofing, phishing, and tampering. While SPF verifies the sender's IP address, DKIM adds a layer of cryptographic verification to the email content itself.

How DKIM Works: Digital Signatures for Email Integrity

DKIM operates by adding a digital signature to the headers of outgoing email messages, ensuring both authenticity and integrity.

DKIM operates by adding a digital signature to the headers of outgoing email messages. This signature is generated using a private key belonging to the sending domain. When a receiving mail server gets an email with a DKIM signature, it performs a series of checks:

  1. Retrieves Public Key: The receiving server looks up the sender's domain's DNS records for a special DKIM TXT record that contains the public key.
  2. Verifies Signature: It then uses this public key to decrypt the digital signature in the email header. If the decryption is successful and the hash of the email content matches the hash in the signature, it confirms that:
    • The email was indeed sent by an authorized server of the domain.
    • The email content (including certain headers and the body) has not been altered since it was signed.

The Importance of DKIM for Email Security

Implementing DKIM significantly strengthens your email security posture and improves email deliverability.

  • Ensures Content Integrity: It guarantees that the email content has not been tampered with during transit, protecting against malicious modifications and ensuring the message you sent is the message received.
  • Verifies Sender Identity: Provides strong assurance that the email truly originated from the claimed domain, making it much harder for phishers to impersonate your brand and trick recipients.
  • Improves Deliverability: Like SPF, a valid DKIM signature signals legitimacy to receiving mail servers, increasing the likelihood that your emails will land in the inbox rather than the spam folder.
  • Complements SPF: DKIM works hand-in-hand with SPF. Even if an email is forwarded (which can break SPF), DKIM's cryptographic signature often remains intact, providing continued authentication and a more robust defense.

DKIM Records in DNS

A DKIM record is published as a TXT record in your domain's DNS, typically under a subdomain like selector._domainkey.yourdomain.com. The "selector" is a unique name chosen by the domain owner to allow for multiple DKIM keys (e.g., for different sending services).

selector._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Best Practice: For a robust email security strategy, DKIM is best implemented in conjunction with SPF and DMARC. This trio provides the most comprehensive protection against email fraud and ensures optimal email deliverability.

Previous
What is DMARC?
Next
What is a Subdomain?