What is DKIM? – A Bit of History

We live in a time where email scams are widespread. There have been many efforts to make this form of communication more secure. DKIM is one of them. 

But what is DKIM? 

How does it work? How did it come to be, and how does it improve email communications worldwide? In this blog post, we’re exploring all relevant aspects related to DKIM.

Let’s begin with a quick DKIM definition. DKIM stands for DomainKeys Identified Email. DKIM is a security protocol that allows recipients to verify whether all received messages are sent by a genuine email domain. 

With DKIM, a private and encrypted digital signature is assigned to every email sent from your domain. Receiving servers then authenticate this digital signature by using a public key for decryption. DKIM also works as a filter to ensure the message’s content hasn’t been tampered with during traffic. 

It was created out of the need to increase security in online communications. It’s one of the systems designed to replace the old Simple Mail Transfer Protocol (SMPT). It’s also an integral part of DMARC, working together with SPF.

When it comes to DKIM vs. SPF, both protocols protect against spam, spoofing, and phishing. However, there’s no comparison between DKIM vs. DMARC, as the latter improves and enhances the features of DKIM and SPF to provide unparalleled email security.

With DKIM, a digital signature is verified using cryptographic protocols. This process works using a key pair, one private and one public—published in the DNS. That’s where adding a DKIM record to your DNS comes in.

What is a DKIM record? Essentially, it’s a DNS TXT record containing the public key that a receiving email server uses to match an email signed with a private key. While it’s vital to know how a DKIM record works, this post is more about how DKIM came to be.

DKIM combines two security standards. The first one is the Enhanced DomainKeys created by Yahoo! that used a public/private key pair to verify an email. It relied on a basic binary system to decide when an email should be accepted or rejected in any inbox, based on a few specs.

DomainKeys was created by Mark Delany in 2004. The security protocols were enhanced and improved by many other team members. It was finally published in 2007. The backstory of DomainKeys can be traced to RFC 4870, superseded by RFC 4871. The basic structure of the system is registered under U.S. Patent 6,986,049.

The second security standard is Identified Internet Mail (IIM), created by Jim Fenton and Michael Thomas at CISCO. The original system used digital signatures included in the message of all emails sent to verify their legitimacy. 

Today, the DKIM signature is visible to receivers as an additional message header, and the verification takes place via the Mail Transfer Agent (MTA). It’s an integral part of DKIM and DMARC technology.

DomainKeys by Yahoo!

When Yahoo! created DomainKeys, the goal was to implement a verification system for the sending domain and body of an email. The mechanism was based on quick inspections with a straight “yes or no” approach, delivering email either to the spam folder or inbox.

This signature-based authentication standard initially worked using a key pair, one private and one public. 

The process is very similar to modern DKIM protocols. But the workaround was more complex. There are two distinct processes, one from sending servers and the other from receiving servers. 

Yahoo! designed DomainKeys to help organizations such as banks, ecommerce stores, etc. combat email spoofing and phishing attacks while protecting users. The proposed open-standard authentication standard would go on to become DKIM as we know it today, with the collaborative efforts of industry leaders like IBM, Microsoft, VeriSign, and of course, CISCO.

Identified Internet Mail by CISCO

What is DomainKeys Identified Mail without Identified Internet Email, or IIM, created by CISCO? This system offered a means to apply cryptographic signatures to email messages for verification purposes. Recipient servers could check the signature, verify the sender’s domain, and authenticate the message.

Email administrators could operate this system using Mail Transfer Agents (MTA) or Mail User Agents (MUAs) to authenticate the source of emails. 

Both methods worked with public and private keys that allowed senders to sign their outgoing messages. However, receivers needed the same specialized software as senders to verify the integrity of the signature.

According to the Internet Draft published by Cisco in 2005, the goal of IIM was not only about combatting email spoofing. Identified Internet Mail was also designed to give recipients the ability to classify and prioritize desired emails. 

By providing a mechanism to differentiate authentic mail from unsolicited spam and other emails, CISCO wanted to build a foundation for reputation and accreditation tools. The inventors hoped that a combination of such specifications would ultimately marginalize spam and fraudulent emails to the extent that they wouldn’t be as problematic anymore.

How DKIM Came Together

Yahoo! and CISCO realized the potential of their technologies and decided to merge them into a single security protocol in 2007. Their collaboration set the basis for the IETF standards that eventually led to the creation of STD 76, currently known as the RFC 6376. 

First published in 2011, this document details  DKIM protocols and how they should work.

Multiple email service providers thoroughly tested DKIM. It finally became a fixture with Yahoo!, Gmail, AOL, and FastMail, despite its bumpy start. When it was first applied, the strict verification process discarded millions of messages lacking a digital signature. 

The early adopters of the policy decided to change their mail list software instead of making changes to DKIM. 

Today, DKIM is one of the three central policies included in DMARC protocols and one of the primary components of email security. DKIM has not remained stagnant, and it’s constantly being improved. RFC 8301, issued in 2018, updated the sizes of all digital keys from 512-2048 bits to 1024-4096 bits. RFC 8463, published the same year, added a new key type that made public keys shorter and more robust.

Final Thoughts

Knowing what DKIM authentication is helps you understand its importance in securing your email domain.

DKIM is a signature-based email authentication protocol that validates your domain as a verified sender, thereby protecting your recipients and your company’s brand reputation from fraudulent exploits. 

DKIM was created by merging two security protocols: DomainKeys and  Identified Internet Mail or IIM, created by CISCO.

If you want to create a DKIM record for your website, make sure to run a DKIM lookup first. If none exist, use our DKIM generator and increase your reputation as a sender. Don’t forget about the importance of DMARC, either, and get on the right track to improve your email security.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More