DMARC Manager

English

Español
Deutsch
Français
Italiano
한국어
日本語
Português (BR)
繁體中文

English

Español
Deutsch
Français
Italiano
한국어
日本語
Português (BR)
繁體中文

DKIM Overview

Welcome to the DKIM documentation section. Here you'll find comprehensive information about DomainKeys Identified Mail (DKIM), a standard that allows email senders to digitally sign their messages and verify their domain identity.

What is DKIM?

DKIM stands for DomainKeys Identified Mail, a standard that allows email senders to digitally sign their messages and verify their domain identity. DKIM helps to prevent email spoofing, phishing, and spam by enabling receivers to check if the email was sent by an authorized source and if it was modified in transit. DKIM uses public-key cryptography, where the sender publishes a public key in their domain's DNS records and signs each email with a private key. The receiver can then use the public key to verify the signature and the domain of the sender.

Importantly, DKIM is one of the mechanisms utilized to authenticate senders from a DMARC perspective. If a mail passes a DKIM evaluation, it is considered DMARC compliant.

How does DKIM work?

DKIM works by adding a special header field to each email message, called the DKIM-Signature, which contains information about the signing domain, the selector, the algorithm, the hash, and the signature. The selector is a string that identifies which public key to use for verification. The algorithm is the cryptographic method used to generate the hash and the signature. The hash is a digest of the email content, excluding the DKIM-Signature field. The signature is the result of encrypting the hash with the private key.

When the receiver gets the email, they can extract the DKIM-Signature field and use the selector to find the corresponding public key in the sender's DNS records. They can then decrypt the signature with the public key and compare it with the hash of the email content. If they match, the email is authenticated and has not been tampered with.

Why is DKIM Important?

DKIM is important because it helps to protect the integrity and reputation of email senders and receivers. By verifying the domain identity of the sender, DKIM can reduce the risk of phishing, spoofing, and spam, which can harm the trust and security of email users. DKIM can also improve the deliverability and visibility of legitimate emails, as they are less likely to be filtered or marked as spam by email providers and recipients. This can increase the engagement and conversion rates of email marketing campaigns and newsletters.

DKIM can also complement other email authentication standards, such as SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), to provide a more comprehensive and robust solution for email security and reputation.

Limitations of DKIM

DKIM is not a perfect solution for email authentication and security, as it has some limitations and challenges. Some of them are:

  • DKIM does not guarantee the identity of the actual sender, only the domain. For example, an attacker can compromise a legitimate email account and send spoofed emails with a valid DKIM signature. To mitigate this, email providers and recipients should also check the From and Reply-To fields of the email and use other methods to verify the sender's identity, such as SPF and DMARC.

  • DKIM does not prevent the forwarding or relaying of emails, which can break the DKIM signature and cause false negatives. For example, if a user forwards an email to another address, the email content may be modified by the forwarding agent, such as adding a header or a footer, which can invalidate the DKIM signature. To avoid this, email senders should use a relaxed canonicalization algorithm, which ignores minor changes in the email content, and email receivers should use a tolerant verification policy, which allows some errors in the DKIM signature.

  • DKIM requires the cooperation and coordination of email senders and receivers, as well as the management and maintenance of public and private keys and DNS records. This can be complex and costly, especially for large and dynamic email domains. To simplify this, email senders and receivers can use third-party services or tools that can handle the DKIM implementation and configuration for them.