What is DKIM?

Domain Key Identified Message(DKIM) is a signature-based email authentication technique designed to allow the receiver to check if an email was sent and authorised by the owner of the domain. This allows an organisation to assert responsibility for a message sent under an associating domain name. DKIM has been published as a Standards Track document by the IETF as RFC6376. 

Why is DKIM Important?

The need for email-validated identification arises because forged addresses and content are otherwise easily created and widely used in spam, phishing, and other email-based fraud. For example, a fraudster may send a message claiming to be from sender@example.com to convince the recipient to accept and read the email, and it is difficult for recipients to establish whether to trust this message. System administrators also have to deal with complaints about malicious email that appears to have originated from their systems but did not. 

Thus, DKIM can sign a message and allows the signer (author organisation) to communicate which email it considers legitimate. Moreover, it also provides a process for verifying a signed message. Verifying modules typically act on behalf of the receiver organisation, possibly at each hop. However, it does not directly prevent or disclose abusive behaviour. 

How does DKIM Work?

DKIM uses two actions to verify the messages. The first action takes place on a server sending DKIM signed emails, while the second happens on a recipient server checking DKIM signatures on incoming messages. The entire process is made possible by a private/public key pair. The private key is kept secret and safe, either on the server or with your email service providers, and the public key is added to the DNS records for your domain to broadcast it to the world to help verify your messages. 

High-Level Explanation

  1. Sending email server uses its private DKIM key to sign an outgoing mail.
  2. Receiving email server retrieves the corresponding DKIM public key from the DNS records.
  3. Receiving email server validates the incoming mail using the public key.
    1. Successful validation results in the mail being directed to the inbox.
    2. An unsuccessful validation results in the mail being directed to either the junk/spam folder or dropped from the server.





Adoption Statistics

  1. ACM.org: The Evolution of DNS-Based Email Authentication: Measuring Adoption and Finding Flaws 


  1. Dmarc.org: DKIM Glossary
  2. Internet Engineering Task Force (IETF): DKIM RFCs