DKIM FAQs (Frequently Asked Questions)


What is DKIM?

DKIM, which stands for DomainKeys Identified Mail, is an email authentication method designed to detect forged header fields and content in emails. DKIM enables the receiver to check if email headers and content have been altered in transit.

Why use DKIM?

DKIM enables the receiving email server to check if the email headers and content have been altered in transit. If that's true, a DKIM check will return the fail result, indicating the message's integrity has been compromised.

On the DMARC level, you can specify a p=reject policy to reject messages that have failed DKIM authentication (and SPF authentication). This way, you can prevent malicious emails from reaching your recipients' inboxes.

Who signs the email message?

The outgoing server that actually sends the email message by initiating an SMTP session does. It signs the message using a private key saved locally on the same machine.

How does DKIM signing work?

DKIM signing an email message on the originating email server involves these steps:

  1. choose which header fields and/or body to be included in the data;
  2. compute the hash sum of the data, including message headers and message body;
  3. encrypt the hash sum with the private key. The result is called the "signature";
  4. append a DKIM-Signature header containing the signature to the email.

Who verifies the email messages?

The receiving server of the email message does.

After the verification, it returns one of these results (possibly to a controlling module like DMARC): none, pass, fail, policy, neutral, temperror, and permerror.

How does DKIM verification work?

When the email reaches the destination, the receiver checks if a DKIM-Signature field exists in the header.

If a DKIM-signature field is found, the server verifies the authenticity of the email:

  1. look up the DKIM record of the domain in the DNS, using the selector in DKIM-Signature specified by the s= tag;
  2. if found, extract the public key which is part of the keypair from the record;
  3. compute a hash sum using the algorithm specified by the a= tag, of the incoming data specified by the h= tag;
  4. decrypt the signature with the public key to reveal the hash sum computed by the sender;
  5. if hash sum in 4 is equal to hash sum in 3, it passes the check, meaning the message hasn't been tampered with; otherwise it fails.

Learn more about DKIM verification.

What if there are multiple DKIM signatures?

Multiple DKIM signatures can be found if an email message is forwarded. Learn more here.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account