What is DKIM?

What is DKIM?
What is DKIM?

Email authentication protocols play an important role in safeguarding digital communication from activities like spam, phishing, and spoofing.

Among these essential protocols, DKIM (DomainKeys Identified Mail) stands out as a powerful cryptographic technique that verifies the integrity of email messages during transmission. By employing digital signatures, DKIM enables receiving servers to authenticate the sender's domain and ensure the email content remains unaltered.

This guide explains the workings of DKIM, its implementation process, benefits, and considerations, highlighting its significance in the email security landscape.

What is DKIM?

DKIM meaning DomainKeys Identified Mail, is an email authentication protocol used to detect forged sender addresses and verify that an email message hasn't been tampered with during transmission.

It is one of the key methods used to combat email spam, phishing, and other malicious email activities.

DKIM works by using cryptographic authentication to let receiving mail servers verify that a message really was sent from the claimed sender's domain. This helps prevent spam and phishing by making it extremely difficult for bad actors to successfully impersonate legitimate senders.

Along with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM forms a critical part of modern email authentication and anti-spam efforts.

How Does DKIM Work?

DKIM uses public-key cryptography to create encrypted digital signatures for outgoing email messages. Here's a simple breakdown of how the DKIM authentication process works:

  1. Key Generation: The domain owner generates two cryptographic keys - a public key and a private key. While the public key is available in the domain's DNS records, the sending mail servers securely store the private key.
  2. Email Signature: As soon as an email from that address is sent, the mail server uses the private key and the message text to make a DKIM signature. This name is added to the top of the text.
  3. Signature Verification: When the email reaches the receiving server, it retrieves the domain's public key from DNS. It then uses this public key to decrypt the DKIM signature and verify it matches the actual email contents.
  4. Authentication Result: If the decrypted signature matches the contents, the receiving server knows the email was sent from the authenticated domain and was not modified in transit. If the signatures don't match, DKIM verification fails.

What is the Purpose of DKIM?

The primary purpose of DKIM is to verify the integrity of email messages during transmission. It cryptographically proves that the content of the message was not modified after being sent by the original sender's mail server.

DKIM inserts a digital signature into the email header so mail servers can verify the sender's domain and content.

This signature verification allows receiving mail servers to block forged emails pretending to be from trusted senders. It protects against email domain spoofing attacks used in phishing scams and other malicious email campaigns.

While DKIM reveals if a message was legitimately sent from a domain, it does not prove the identity of the user who actually sent it. DKIM works in tandem with other protocols like SPF and DMARC to provide a more complete authentication process.

What is a DKIM Record?

A DKIM record is a DNS TXT record that contains the public cryptographic key used for DKIM signature verification. It tells receiving mail servers where to find the public key needed to validate DKIM signatures from that domain.

The DKIM record includes the following components:

  • Version: Specifies the DKIM version (currently version=1)
  • Granularity: Separates the domain into finer components like subdomains (k=key granularity)
  • Selector: Identifies the specific public key used (s=selector)
  • Public Key: The actual public encryption key data

DKIM records are designed to make public key discovery easy for receiving mail servers during the DKIM verification process.

What is a DKIM Signature?

A DKIM signature is the encrypted code attached to the headers of emails sent from a DKIM-enabled domain. It contains data like:

  • The domain the message is from (d=domain)
  • The selector identifying the public key (s=selector)
  • A hash of the message body contents (bh=bodyhash)
  • A hash of the message headers (h=headerhash)
  • The encrypted digital signature itself (b=signature)

The signature allows receiving servers to verify the email contents were not modified after being transmitted by checking the hashes against the actual message data.

What is a DKIM Selector?

A DKIM selector is an identifier used to determine which public/private key pair should be used for signing DKIM messages. It allows you to have multiple public keys published for more granular control.

For example, you could use:

  • One selector for marketing emails
  • One for transactional notifications
  • One for a specific mailbox or department

The selector lets you keep separate DKIM key pairs for different email streams rather than using the same keys across your entire domain.

How to Implement DKIM?

To start using DKIM for authenticating your outgoing emails, you'll need to follow these basic steps:

  1. Generate Public/Private Keys: First, create a new public/private cryptographic key pair. Most email services or DKIM tools can automatically generate keys for you.
  2. Publish Public Key in DNS: Next, you'll add a new DKIM TXT record to your domain's DNS zone containing the public key data and selector information.
  3. Configure Mail Servers/Services: Finally, you'll provide the private key to any mail servers, marketing tools, transactional email services, etc., that send email from your domain. They will use this to digitally sign outgoing messages.

From then on, your emails will include DKIM signatures that receiving servers can use for authentication checks during delivery.

Benefits of Using DKIM in Email Authentication

Prevent Email Spoofing

DKIM signatures make it exceedingly difficult for malicious actors to forge or spoof emails that appear to be originating from your domain.

By leveraging cryptographic authentication, DKIM serves as a robust safeguard against email spoofing attempts, effectively thwarting phishing attacks and spam campaigns that aim to impersonate your brand.

Improve Email Deliverability

Major email providers and spam filtering systems are significantly more likely to accept and ensure the proper delivery of messages that successfully pass DKIM authentication checks from legitimate and authorised senders.

By incorporating DKIM as part of your email authentication strategy, you increase the chances of your emails reaching their intended recipients' inboxes without being flagged or diverted to spam folders.

Protect Sender Reputation

Implementing DKIM in conjunction with other email authentication protocols like SPF and DMARC helps establish and maintain a strong reputation for your sending domains over an extended period.

As your emails consistently pass authentication checks and demonstrate compliance with industry-standard security measures, your domain's credibility and trustworthiness increase in the eyes of email service providers and recipients alike.

DMARC Requirement

Properly aligning DKIM and SPF authentication is a core requirement for implementing DMARC, the anti-spoofing email authentication policy. Without proper DKIM and SPF alignment, organisations cannot fully leverage the benefits of DMARC and its ability to mitigate email spoofing threats effectively.

While DKIM alone doesn't prevent sender address spoofing, it is an essential component of modern anti-phishing and anti-spam defences when used with SPF and DMARC policies. Implementing DKIM should be considered a necessity for any organisation that sends emails from their owned domains.

Use Cases for DKIM

DKIM has several common use cases across different industries and organisations:

  • Email Service Providers: Email service providers use DKIM to validate emails on behalf of their customers and improve delivery rates.
  • Marketing Campaigns: Companies doing email marketing campaigns implement DKIM to ensure promotional emails get delivered without being marked as spam.
  • Transactional Email: DKIM helps ensure transactional emails like password resets, receipts, notifications, etc., reach inboxes successfully.
  • Enterprise Communications: Large enterprises use DKIM for outgoing communications to customers, employees, and partners to protect their domains from spoofing.

In general, any individual or organisation that sends emails representing their domain should set up DKIM authentication to safeguard deliverability and domain reputation.

Challenges and Considerations for DKIM

While DKIM is an essential tool, there are some challenges and considerations to keep in mind:

  • The private keys used for DKIM signing must be carefully secured, as a compromised key could allow spoofing of that domain.
  • Managing and rotating DKIM key pairs as needed adds some overhead, especially for larger organisations with many domains/selectors.
  • Unlike SPF, DKIM verification happens invisibly behind the scenes, so end users can't easily check if emails pass DKIM.
  • If an email gets forwarded multiple times, the original DKIM signature may break and cause failed verification.
  • Emails sent through mailing lists may modify message headers/bodies, which could invalidate DKIM signatures.

Despite these considerations, DKIM remains a recommended standard for properly authenticating outgoing emails and preventing abuse of your domains.


Implementing DKIM is an essential step for organisations and individuals seeking to safeguard their email domains, enhance deliverability, and maintain a robust sender reputation.

While it presents some challenges, such as key management and forwarding limitations, DKIM remains a recommended standard for authenticating outgoing emails and preventing domain abuse.

To boost security, safeguard your accounts with InstaSafe's multi-factor authentication, adding a layer of protection against unauthorised access.

Stay ahead of cyber threats with Instasafe solutions, ensuring your data remains secure and your peace of mind intact.

Frequently Asked Questions (FAQs)

  1. What differentiates DKIM from SPF?

SPF and DKIM are different email authentication protocols. SPF verifies that an email was sent from an authorised IP address associated with the sender's domain, while DKIM uses cryptographic signatures to validate that the email content hasn't been modified during transmission.

SPF focuses on preventing email spoofing, while DKIM ensures message integrity.

2. What are SPF and DKIM used for?

SPF and DKIM are primarily used to combat email spoofing, phishing, and spam. SPF validates the sender's IP address, preventing unauthorised servers from sending emails on behalf of a domain.

DKIM, on the other hand, guarantees email content isn't altered during transit, protecting against message forgery and content manipulation attacks.

3. Do I need both DKIM and SPF?

Yes, it is highly recommended that both SPF and DKIM be implemented for comprehensive email authentication. While SPF and DKIM serve different purposes, they complement each other in protecting your domain's reputation and email deliverability.

Together, they provide a robust defence against email spoofing, phishing, and content manipulation attempts, ensuring the authenticity and integrity of your emails.