What is DKIM Signature? | EasyDMARC

What is DKIM Signature?

8 Min Read
A text on a blue background

Back in 2020, there was a roaring rise of email as the preferred method of communication worldwide. The pandemic switched logistics to the digital arena, and although things are returning to normal, email’s practicality has stuck with many companies. That’s why it makes sense for the cybersecurity industry to focus its efforts on making email communications more secure.

DMARC has become the perfect way to authenticate email domains, but this protocol doesn’t work without a DKIM signature. If you don’t know about the benefits of DKIM or how it works, you can learn more in our other posts:

Once you know how DKIM records work, you’ll want to learn how to create a DKIM signature and add a DKIM signature to an email domain. This blog post explains exactly what a DKIM signature is and how it works for your business.

What is a DKIM Signature?

So, what is a DKIM signature? The name is short for “DomainKeys Identified Email.” Simply put, DKIM is a digital signature added to all email messages sent from your domain that verify you as a sender. 

DKIM doesn’t work as the type signature you see at the bottom of all messages in your inbox. It’s not a visual trait in most messages. DKIM works as a set of characters hidden in the source code of your messages. Only email service providers can read this line of code.

DKIM signatures are always placed in the header of all emails. This header contains the values that allow receiver servers to validate your email messages. The servers run a check by looking at the sender’s public DKIM key published on their DNS to verify the encrypted signature. 

DKIM signatures are complex. They require proper coding syntax and a list of tag values indicating the actions servers must take—depending on the verification process results.

This is how an actual DKIM signature should look once it’s included in your DNS:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=easydmarc.com; s=google;

h=from: content-transfer-encoding: subject: message-id:date:to:mime-version;

bh= 1py3bPKPbePCmMziH13AZqw0Fa +/ wnOTcnp6P-ZLMW2SwMpgo=;

b= 1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh

Why Do You Need a DKIM Signature?

DKIM signatures prevent the work of criminals who want to spoof your domain and send fraudulent messages on your behalf. As these bad actors impersonate your brand via email, they can affect your business operations and disrupt everything from your revenue streams to your communications. 

Once you learn how to generate a DKIM signature, your domain will already be safer.

You also need DKIM signatures to update the SMTP standard most service providers use to send your messages. SMTP makes communications easier but never verifies the sender before delivering messages. 

DKIM, as an authentication protocol, has improved email communication with data directly placed in all email headers. This data is matched with records published in the DNS of the senders to keep malicious actors at bay. 

The data included in DKIM signatures are always encrypted. This helps to receive servers detect any forgeries. DKIM is the brainchild of two distinct security protocols designed by Yahoo! and Cisco. The former created DomainKeys, while the latter made a system named Identified Internet Mail. The companies combined both programs to bring DKIM to life back in 2004. Today, DKIM is the leading verification method used by companies like Google, Apple, and Microsoft.

That said, the DKIM protocol isn’t enough to secure your domain as it doesn’t prevent spoofing of the visible “header from” of an email. Fortunately, DMARC solves this issue by combining SPF and DKIM standards to authenticate emails truly.

How Does a DKIM Signature Work?

A DKIM signature lets you associate your business domain with your email messages. To do this, you must add a DKIM Record to Your DNS. This TXT record tells receiving servers to match emails sent from your domain using a public key. 

The second key is private, and it’s the one encrypted in all headers on your messages.

DKIM signatures include data to let mail transfer agents know where to look for the public key. When you send an email, the DKIM signature uses the private key to contact the receiving mail server. This server verifies it against the public key contained in the public record published in your DNS. The message goes to the receiver’s inbox if the public and private keys correspond. The message is discarded or sent to the spam folder if the DKIM signature and public key don’t match. 

Remember that DKIM is not an email filter but a system that efficiently helps email systems apply their filtering configurations. A stream of messages failing DKIM authentication leads to negative deliverability. 

Big companies create DKIM records and implement DMARC to avoid scams. Online payment services and banking platforms are big adopters of this technology: They also remind their users to prevent emails from asking for personal data.

How to Read a DKIM Header?

When you create a DKIM record for your email headers, it should include a series of tags with values indicating information about a sender. As for the content of each tag, here’s a quick list of the values and their meanings:

  • b= works as the digital signature for email content, valid for the header and body of the message.
  • bh= body hash
  • d= signing domain
  • s= selector
  • v= version of DKIM being used
  • a= signing algorithm
  • c= canonicalization algorithm for header and body of the message
  • q= default query method
  • l= length of the section of the message that has been signed
  • t= timestamp of the signature
  • x= expiration time
  • h= list of signed header fields (needs to be repeated for fields used multiple times)

Out of these tags, b, bh, d, s, v, and a are mandatory in all DKIM signatures. You’ll get an error message if you miss any of these tags. All remaining tags are optional. Based on this listing, let’s take a look at the previous example we offered and see what each section means:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=easydmarc.com; s=google;

h=from: content-transfer-encoding: subject: message-id:date:to:mime-version;

bh= 1py3bPKPbePCmMziH13AZqw0Fa +/ wnOTcnp6P-ZLMW2SwMpgo=;

b= 1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh

For this particular DKIM signature, you can see the following: 

  • The digital signature here is “1yc9n5JU-7bTkT9FxgIYFJutPbxbyfsBXlbD4wJ-Mdt8/15vjYvI2-IlCipp_FFTkyd3s_yA4jX65vRSsaE2hBhTw okQIHsBTfmTFEEo01BtmUZpR5M4Mtz5Q8LE97YRDE /nI1hoPWbzDaL9qh” and it should match with the sender’s domain
  • The body hash is listed as “1py3bPKPbePCmMziH13AZqw0Fa +/ wnOTcnp6P-ZLMW2SwMpgo=;
  • The signing domain is “easydmarc.com”
  • The selector is “google.”
  • The version of DKIM being used is “v1.”
  • The signing algorithm is “rsa-sha256.”
  • The policy for the header and body has been configured as “relaxed/relaxed,” meaning the messages are likely to go directly to the sender’s inbox.

All the basics are covered in this example. You’ll notice there’s no default query method, no timestamp signature, no expiration time, and no list of signed header fields.

How to Check a DKIM Signature and Verify It?

If you don’t know how to check the DKIM signature, there are many tools online, but the safest bet is to work with EasyDMARC. Many email service providers offer their own DKIM signatures for your DNS. You may not know whether you have one. 

You can perform a DKIM signature check our DKIM lookup tool. If you don’t have a DKIM signature, you can use our DKIM generator to get one.

Final Thoughts

To build your brand, you must implement email authentication protocols. Adding a DKIM signature to your domain is a necessity. With this verification method, SPF, and DMARC implementation, you become a trusted sender.

Your clients and partners know you’re the one sending messages from your domain. Once you learn how to create DKIM signatures, you can improve the deliverability rates of your email campaigns.

EasyDMARC can help you become a trusted sender.

We offer a vast catalogue of tools and solutions to implement SPF, DKIM, and DMARC policies, including DKIM lookup and generator tools. Get started right now and improve your domain’s reputation today.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us