A DKIM signature is a cryptographic signature added to an email’s header to verify that specific parts of the email, such as headers and body, have not been altered during transit. It’s a core component of the DomainKeys Identified Mail (DKIM) protocol, defined in RFC 6376. The DKIM-Signature header includes values that recipient servers use to validate the message’s integrity. Recipient servers retrieve the associated public key, typically published in DNS, to confirm that the signature is valid.
Why Do You Need a DKIM Signature?
A DKIM signature assists in the following:
- Protects your email’s integrity by ensuring messages are not modified after signing.
- Contributes to DMARC compliance, as DMARC relies on a valid DKIM signature with domain alignment.
- Builds your domain reputation with ISPs, such as Google, which use DKIM as one of several factors to evaluate your domain’s reputation.
Here’s an example of a DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=easydmarc.com; s=google;
h=from: content-transfer-encoding: subject: message-id:date:to:mime-version;
bh= 1py3bPKPbePCmMziH13AZqw0Fa +/ wnOTcnp6P-ZLMW2SwMpgo=;
b= 1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh
The data included in DKIM signatures is always encrypted. This helps receiving servers detect forgeries.
DKIM is the leading verification method used by companies such as Google, Apple, and Microsoft. However, the DKIM protocol isn’t enough to secure your domain as it doesn’t prevent spoofing of the visible “header from” of an email. Fortunately, DMARC addresses this issue by combining SPF and DKIM standards and taking them a step further.
How Does a DKIM Signature Work?
A DKIM signature consists of two main components:
- Private key: Used by the sender’s email server to generate the signature.
- Public key: Published in the domain’s DNS records for verification by receiving email servers.
A DKIM signature associates your domain with your email messages. To achieve this, you must add a DKIM record to your DNS. This TXT record allows receiving servers to validate emails sent from your domain using the public key.
When an email is sent, the private key generates the DKIM signature and adds it to the DKIM-Signature header. The header includes a selector (s=), which identifies the DKIM key used. Both the private and public keys are associated with the same selector name.
On the receiving side, the mail transfer agent retrieves the selector and domain (d=domain) from the DKIM-Signature header and queries the DNS using the format Selector._domainkey.domain to obtain the public key.
The private key generates the signature, while the public key verifies it. If the signature is valid, the message passes DKIM verification. If the validation fails, the outcome depends on the recipient’s email systems or additional protocols like DMARC, which can enforce policies to quarantine, reject, or accept the message. DKIM itself does not specify any handling policy for failed signatures.
How to Read a DKIM Header?
When you create a DKIM record for your email headers, it should include a series of tags with values indicating information about a sender.
Here’s a list of the tags and their meanings:
|
TAG |
MEANING |
|
b |
digital signature for email content and is valid for the header and body of the message |
|
bh |
body hash |
|
d |
signing domain |
|
s |
selector |
|
v |
version of DKIM being used |
|
a |
signing algorithm |
|
c |
canonicalization algorithm for header and body of the message |
|
q |
default query method |
|
l |
length of the section of the message that has been signed |
|
t |
timestamp of the signature |
|
x |
expiration time |
|
h |
list of signed header fields (needs to be repeated for fields used multiple times) |
Out of these tags, b, bh, d, s, v, and a are mandatory in all DKIM signatures. You’ll get an error message if you miss any of these tags. The remaining tags are optional.
Let’s take a closer look at our example above:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=easydmarc.com; s=google;
h=from: content-transfer-encoding: subject: message-id:date:to:mime-version;
bh= 1py3bPKPbePCmMziH13AZqw0Fa +/ wnOTcnp6P-ZLMW2SwMpgo=;
b= 1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh
For this signature, you can see the following:
- The digital signature (b) is “1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh” and it should match with the sender’s domain
- The body hash (bh) is “1py3bPKPbePCmMziH13AZqw0Fa+/wnOTcnp6P-ZLMW2SwMpgo=;”
- The signing domain (d) is “easydmarc.com”
- The selector (s) is “google”
- The version (v) of DKIM being used is “v1”
- The signing algorithm (a) is “rsa-sha256”
- The policy for the header and body has been configured as “relaxed/relaxed,” meaning the message will likely go directly to the sender’s inbox.
All the mandatory tags are covered in this example. You’ll notice, however, that not all tags are included.
How to Check Your DKIM Signature?
To check your DKIM signature, you can use EasyDMARC’s simple DKIM Lookup tool. Our tool validates whether your domain’s DKIM record is implemented correctly. Many email providers offer their own DKIM signatures that are differentiated with “Selector” names. EasyDMARC’s DKIM Lookup tool lets you add the selector name and your domain to retrieve the specific public key of your email service provider (ESP).
EasyDMARC’s DKIM Lookup tool:
- Checks whether the DKIM TXT record is published in DNS for the domain
- Checks the published DKIM TXT record syntax
- Validates the DKIM public key associated with the selector
If there are problems with your DKIM record, we can help you fix them. If you don’t have a signature, you can use our DKIM generator to get one so you can start your email authentication journey.
Final Thoughts
DKIM signatures are a key element of modern email security, helping verify message integrity and authenticity. While DKIM alone cannot fully secure your email communications, it serves as a critical component alongside SPF and DMARC. Proper implementation and maintenance of DKIM signatures can improve email deliverability and safeguard your domain’s reputation.
EasyDMARC offers a comprehensive suite of tools and solutions to simplify the implementation of SPF, DKIM, and DMARC, including DKIM lookup and generator tools. Start enhancing your domain’s reputation and email security today with our 14-day free trial.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us