Main Hero

DKIM

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses cryptographic signatures to verify that an email message has not been altered in transit and that it was authorised by the sending domain. It works by attaching a digital signature to each outgoing email, which is generated using a private key held by the sending server. The receiving server retrieves the corresponding public key from DNS and uses it to validate the signature.

This process ensures message integrity and domain authenticity. If the content of the email is modified during transmission, the DKIM signature will fail validation. Unlike SPF, which validates the sending server, DKIM validates the message itself, making it a critical component of modern email security frameworks.

DKIM operates independently but is most effective when used alongside SPF and DMARC. It supports domain alignment requirements and helps establish trust with receiving mail systems, improving deliverability and reducing the likelihood of messages being flagged as spam.

Advanced

DKIM signatures are added to email headers and include a selector, which identifies the specific key used for signing. The selector allows domain owners to manage multiple keys simultaneously, supporting key rotation and segmented infrastructure. Public keys are stored in DNS as TXT records under the format selector._domainkey.domain.com.

The signing process uses hashing algorithms such as RSA with SHA-256 to generate a signature based on selected header fields and the message body. Receiving servers recompute the hash and compare it to the signature to confirm integrity. Any mismatch results in a DKIM fail.

Alignment with the visible “From” domain is critical for DMARC compliance. DKIM can pass validation even if the domain differs, but without alignment, it may not satisfy DMARC requirements. In high volume environments, proper key management, rotation policies, and consistent signing across all outbound systems are essential for maintaining trust and avoiding authentication gaps.

Relevance

  • Verifies message integrity and prevents tampering
  • Confirms domain level authorisation of emails
  • Supports DMARC alignment and enforcement
  • Improves email deliverability and sender reputation

Applications

  • Signing outbound emails from mail servers and platforms
  • Securing transactional and marketing email streams
  • Implementing domain authentication for compliance
  • Managing multiple selectors for infrastructure segmentation

Metrics

  • DKIM pass versus fail rates in email headers
  • Alignment rates with DMARC policies
  • Email deliverability and inbox placement performance
  • Key usage and rotation effectiveness

Issues

  • Missing or incorrect DNS records causing validation failure
  • Misalignment with visible sender domain affecting DMARC
  • Expired or poorly managed keys reducing security
  • Inconsistent signing across systems creating gaps

Example

A company configures DKIM on its mail server using a selector named mail. The server signs all outgoing emails with a private key, while the public key is published in DNS at mail._domainkey.example.com. When emails are received, the signature is verified, confirming that the message is authentic and unchanged, improving trust and inbox placement.