DKIM Explained

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

Starting in 2004 from merging two similar efforts, “enhanced DomainKeys” from Yahoo and “Identified Internet Mail” from Cisco and has since been widely adopted for email authentication.

Visual presentation of how DKIM works

How does DKIM work?

DKIM gives emails a signature header that is added to the email and secured with encryption. This DKIM signature acts like a tamper-proof seal for email to verify that it has actually come from the domain it says it does and that it hasn’t been tampered with.

To use DKIM, email servers are configured to attach special signatures to the emails they send. These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.

What is a DKIM Signature?

Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of keys. The originating email server has what is called the “private key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, called the “public key.”

DKIM selectors are found in the DKIM-Signature header and indicate where the public key portion of the DKIM keypair exists in DNS.

Read about DKIM Selectors and how to discover which ones your domain may be currently using.

Read about how to create and add a DKIM record

Why use DKIM for Email?

Implementing DKIM for email provides major benefits:

Protection of message integrity. The content of the email can be verified that it hasn’t been changed while being sent.

Increases domain reputation and email deliverability.

One of the foundational methods of email authentication for DMARC.

Test your domain’s DKIM settings – Our DKIM Inspector is a free diagnostic tool that check if the public part of your DKIM signature—using the selector—has been implemented correctly in the DNS of your domain. Our free DKIM Validator can help you verify that your DKIM record is properly formatted. 

Why DKIM-Only Isn’t Safe Enough

DKIM on its own isn’t a reliable way of authenticating the identity of the email sender and does nothing to prevent the spoofing of the domain visible in the header of the email. DMARC solves the problem by guaranteeing that the domain the end user sees is the same as the domain that is validated by DKIM and SPF. Learn more about DMARC alignment.

Furthermore, the addition of DMARC provides email received instructions on what to do with emails which do not match these checks via DMARC policy enforcement.

Visit our DKIM Knowledge Base to learn more about DKIM.