Email Security

Understanding DKIM

DomainKeys Identified Mail (DKIM) is an email authentication protocol that enables senders to sign messages with a cryptographic signature, allowing recipients to verify their authenticity and ensure that emails have not been altered during transit.

Published:
Updated:
Reading time:
License:
CC BY-SA 4.0

Introduction #

DomainKeys Identified Mail (DKIM) is an email authentication protocol designed to improve email security by allowing senders to attach a cryptographic signature to their messages. This ensures that the email has not been modified in transit and verifies the sender’s domain, reducing the risk of email spoofing and phishing attacks.

DKIM works by using public-key cryptography, with the public key stored in the Domain Name System (DNS) and the private key used by the sending mail server to sign outgoing messages.

How DKIM works #

DKIM operates by attaching a digital signature to the email header. The recipient’s mail server retrieves the sender’s public key from the domain’s DNS record and verifies the signature to confirm the message’s integrity and authenticity.

DKIM signature structure #

A DKIM signature is included in the email header and typically looks like this:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector;
 h=from:subject:date:to;
 bh=examplehash;
 b=examplesignature;
  • v=1: Specifies DKIM Version 1.
  • a=rsa-sha256: Indicates the signing algorithm.
  • d=example.com: Identifies the signing domain.
  • s=selector: Refers to the selector used to retrieve the public key.
  • h=from:subject:date:to: Lists the signed headers.
  • bh=examplehash: Contains the body hash.
  • b=examplesignature: Holds the actual signature generated using the private key.

Setting up DKIM #

To configure DKIM for your domain:

  1. Generate a DKIM key pair (public and private keys).
  2. Publish the public key as a TXT record in your domain’s DNS settings.
  3. Configure your mail server to sign outgoing messages with the private key.
  4. Test DKIM configuration using email authentication testing tools.

Example of a DKIM DNS TXT record:

dkim._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=publickeyvalue"
  • dkim._domainkey: Specifies the DKIM selector.
  • v=DKIM1: Defines the DKIM version.
  • k=rsa: Indicates the key type.
  • p=publickeyvalue: Contains the public key.

DKIM should be used alongside other authentication methods like SPF and DMARC for best email security.

FAQ's #

Most common questions and brief, easy-to-understand answers on the topic:

What is DomainKeys Identified Mail (DKIM)?

DomainKeys Identified Mail (DKIM) is an email authentication method that allows senders to digitally sign their emails, enabling recipients to verify their authenticity.

How does DKIM prevent email spoofing?

DKIM prevents email spoofing by using cryptographic signatures that ensure the email has not been altered and originates from an authorized domain.

How do I set up DKIM for my domain?

You need to generate a DKIM key pair, publish the public key in your domain's DNS as a TXT record, and configure your mail server to sign outgoing emails with the private key.

What is a DKIM selector?

A DKIM selector is a unique string used to locate the public key for DKIM verification in the domain's DNS record.

Can DKIM be used alone for email authentication?

While DKIM enhances email security, it is best used alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for comprehensive protection.

Further readings #

Sources and recommended, further resources on the topic:

Author

Jonas Jared Jacek • J15k

Jonas Jared Jacek (J15k)

Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/

License

Understanding DKIM by Jonas Jared Jacek is licensed under CC BY-SA 4.0.

This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:

<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/understanding-dkim">Understanding DKIM</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>

For more information see the Ditig legal page.

Related Articles

All Topics

Random Quote

“Good design comes from a deep understanding of the technologies behind the scenes.”

Jeffrey Veen American designer and design strategistThe Art & Science of Web Design, - IT quotes