DomainKeys Identified Mail (DKIM) is a protocol that allows domain/organization owners to send authenticated/signed emails. This verification is made possible through cryptographic authentication.
DKIM allows the recipient server to verify that the content of the original message was not altered in any way. But what exactly does that mean?
Imagine you’re at the post office sending a letter. In a basic system, no one asks for your passport or personal identification, so anyone can send a letter pretending to be you. This is similar to how emails work with Simple Mail Transfer Protocol (SMTP). In this scenario, anyone, namely cybercriminals, can send an email impersonating your domain by writing any name on the “From” field and the victim’s address on the “To” field.
Now, imagine a situation where the post office places a stamp on your letter to confirm it was handled securely and hasn’t been tampered with. DKIM works the same way—it ensures that an email was properly signed and remains unaltered, helping to reduce the risk of phishing attacks.
Key Takeaways on What DKIM is in Email
- DKIM authenticates emails cryptographically: Verifies that an email hasn’t been altered during transmission
- DKIM functions like a tamper-evident seal: Ensures email integrity by adding a cryptographic signature, but does not directly verify the sender’s identity
- Does not prevent domain impersonation on its own: DKIM ensures email authenticity but does not require alignment with the From: address domain, meaning attackers can still impersonate a domain unless DMARC is enforced
- Critical security layer: Works alongside SPF and DMARC to strengthen email authentication and prevent phishing and spoofing attacks
What is a DKIM Record?
A DKIM record is a modified TXT record added to your domain’s DNS.
The TXT record contains a public key used by receiving email servers to verify the digital signature in all your messages and make sure they come from your domain.
How DKIM Records Work
When adding a DKIM record to your DNS, components called tags verify your domain. Tags use a letter followed by an equal sign (like “s=”) to convey information about the sender and public key.
DKIM records require proper syntax to function correctly. Some tags are mandatory, while others are optional. Missing tags cause verification errors with certain email providers. Empty tags are processed as empty, while missing tags are removed by default.
If your email service provider includes backslashes before semicolons or surrounds records with double quotes, remove them to prevent syntax errors. Your server typically handles extra quotation marks, and other extraneous characters are automatically ignored.
Take a look at our DKIM record generator to create a valid DKIM record. Then, add it to your DNS configuration and complete the second step of email authentication.
The Magic Behind DKIM: Public Cryptography
Think of public cryptography like a secure lockbox system. Instead of just one key, you get two that work together:
- You have a Private Key that nobody else gets to see or use
- There’s also a Public Key that works with your private key
These keys are like puzzle pieces made for each other. If you lock something with one key, only the matching key can unlock it.
What is a DKIM Signature?
A DKIM signature is an encrypted code added to email headers that serves as a digital seal of authenticity. Once you’ve enabled DKIM signing for your email service (like in Google Workspace, Office 365, or OpenDKIM with Postfix), your email server automatically performs the following steps:
- It calculates the hash value of the mail body
- It encrypts this hash using your private key
- It attaches the hash as a signature in the email header before sending
This automated process, known as DKIM signing, creates a verifiable seal that recipient servers can check against your published public key. The signature itself is essentially the encrypted hash of your email, locked with your private key that only your domain possesses.
When receiving servers process incoming email, they use this signature to verify both the sender’s identity and message integrity, forming a key component of your overall DMARC protection strategy.
Here is an example of a DKIM signature
EasyDMARC Makes DKIM Easy
At EasyDMARC, we make DKIM easy. DKIM is a critical component of your email security strategy, and it cannot be overlooked. It works by adding a cryptographic signature to your emails, ensuring that they haven’t been tampered with during transit. This simple yet powerful process helps prevent issues like email spoofing, phishing, and other types of malicious attacks that can damage your reputation and harm your recipients.
With EasyDMARC, you can easily generate your DKIM record using our intuitive DKIM record creator. Our tools guide you through the setup process, eliminating common errors and ensuring that your DKIM configuration is correct. By implementing DKIM, you’ll significantly reduce the chances of your domain being exploited for phishing attacks or other fraudulent activities.
Don’t let your email server run unprotected. Get started with our DKIM record generator today and safeguard your email communications. With EasyDMARC, securing your domain has never been easier.
Frequently Asked Questions
Yes, DKIM (DomainKeys Identified Mail) remains a widely adopted email authentication protocol. It adds a digital signature to emails, helping receiving servers verify the sender’s domain and ensuring message integrity during transit.
Technically, you can send emails without DKIM; however, doing so may increase the risk of your emails being marked as spam or rejected by recipients’ servers. Implementing DKIM enhances your email’s credibility and deliverability.
Yes, in most cases, DKIM is more important than SPF when it comes to DMARC. This is because SPF alignment cannot always be achieved with certain ESPs, and auto-forwarding can easily break SPF, while DKIM remains intact. Additionally, DKIM provides other benefits, such as helping build your domain’s reputation, enabling data visibility in Google Postmaster, and supporting other Feedback Loop (FBL) services.
SPF verifies that emails come from authorized mail servers, helping to prevent unauthorized senders from spoofing your Return-Path domain.
DKIM, on the other hand, uses cryptographic signatures to confirm that the email content hasn’t been altered in transit. Because a DKIM signature remains intact even after forwarding, it is generally more reliable for email authentication and domain reputation building.
Together, SPF and DKIM play a crucial role in email authentication, and both work toward full DMARC compliance.
To set up DKIM:
1. Generate DKIM Keys: Use a DKIM key generator to create a public-private key pair
2. Add Public Key to DNS: Publish the public key as a TXT record in your domain’s DNS settings
3. Configure Your Email Server: Set up your email server to sign outgoing emails with the private key
If you use a third-party email provider like Google Workspace, HubSpot, or other ESPs, the provider handles the private key storage and gives you the public key. You simply need to copy and paste it into your DNS records.
For a simpler setup, EasyDMARC has identified over 1,500 email sources and provides all the necessary details for DKIM configuration.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us