What is DKIM, and how does it work?

DomainKeys Identified Mail (DKIM) is a strong email authentication protocol that offers strong email security if set up properly. Learn how to leverage it.
What is dkim graphic

DomainKeys Identified Mail (DKIM) is a stronger authentication method than SPF because it survives most forwarding, and you can ensure the message has not been tampered with in transit.

End users don’t have to manage DKIM. It’s configured by the mail administrator and enacted by the sending and receiving email servers.

Below, you’ll learn the answers to the questions like: What is DKIM? Why does it matter? How does DKIM work?

What is DKIM?

DKIM is an email authentication standard that uses public/private key cryptography to sign email messages. A DKIM record verifies that the email came from the domain with which the DKIM key is associated and that the messages had not been modified in transit.

DKIM explained: How DKIM works

  1. The DKIM authentication process follows four primary steps:
  2.  Create key pair: The domain owner creates a cryptographic public/private key pair, and places the public key, formatted as a TXT record, in the domain’s DNS record. The DKIM header includes the domain name and a “selector” that specifies specific users, subdomains, and services.
  3.  Generate hash: Each time an email user on that domain sends a message, the sender’s email platform generates a hash based on the message’s contents. That hash is then encrypted along with the domain’s Private key. This unique Encrypted Hash gets attached to the header of the email message.
  4.  Recompute the hash: The receiving email server recomputes the hash based on the contents of the email message. It then signs it with the Public key hosted in DNS.
  5.  Test DKIM authentication: If the Hash value the receiving server calculates matches the encrypted hash in the email headers, the email passes DKIM authentication. This proves that the message hasn’t been tampered with since it was originally signed. The recipient knows exactly which domain and selector it was signed by.

What is a DKIM selector?

A DKIM selector is a value used to identify something unique such as a subdomain, a specific user, an office location, or a cloud service that sends email. Selectors make it possible to support multiple public keys per domain.

A single domain could have many selectors, each one for a different sender. This allows for many different services to send on behalf of the domain without all needing to share the same private key.

Why does DKIM store keys in DNS?

DKIM aimed to simplify key management so that there is no need to rely on third-party certificate authorities. DKIM stores the public key in DNS so that domain owners can manage the public DKIM keys themselves.

Using DNS allows domain owners to authorize specific senders by placing public DKIM keys in separate selector records in DNS.

DKIM authentication limitations

DKIM has several limitations that make it less than ideal for preventing phishing attacks. Because of the limitations, attacks could be executed from anywhere in the world, and the domain owner could have no clue. Here are some reasons why:

  • Mismatched signature: A phishing message can contain a perfectly valid DKIM signature from a different domain shown in the From field. The most important address is the domain in the From field. Humans use this to determine who or what a message is coming from.
  • DKIM key security: If an attacker acquires a domain’s private key, they could start signing messages “as” that domain, and they would pass DKIM validation perfectly.
  • No connection: DKIM signatures do not require any kind of connection to the mail servers controlled by the domain owner.

Challenges in implementing DKIM

DKIM key management is vital for providing true security and protection. Email senders need to understand the significance of different DKIM key lengths (longer keys are more secure). Management can be difficult since the Public DKIM keys are hosted in DNS. 

DKIM keys are long strings of random-appearing data and can quickly get wrong in DNS. Even a simple copy/paste issue will cause legitimate email messages to fail DKIM.

Managing DKIM keys

Domain owners need to track the age of specific DKIM keys to rotate them regularly. In many cases, this is not happening. And while senders could manually create individual DKIM key records for each email service they use, they often don’t, meaning all services use the same key—making tracking impossible.

A separate set of DKIM keys should be used for domains using multiple cloud-sending services. Otherwise, an error in importing keys into DNS can block all services using that key pair.

Making the best use of DKIM

DKIM offers strong security in the proper context. We recommend only using DKIM in the context of DMARC, which adds the Alignment requirement. Alignment means that in order for SPF or DKIM to be used to pass DMARC, the domain in either the Return-Path (for SPF or the domain associated with the DKIM key) is the same as the domain that the recipient sees in the From address.

Want to ensure better protection for your email sending? Make DMARC enforcement a priority. We can help. Valimail will automate DMARC without any required DNS updates. We’ll keep your domain security safe and up-to-date. 

Schedule a demo to see how Valimail can protect your domain from spoofing and phishing attacks with SPF, DKIM, and DMARC records.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.