What is DomainKeys Identified Mail(DKIM)?

DomainKeys Identified Mail (DKIM) is an email authentication protocol that protects email message integrity by digitally signing them with cryptographic signatures. Any change to an email message in transit produces a different signature causing DKIM to fail and alerting the receiving mail server.

How DKIM Works

DKIM uses public-key cryptography to create and verify digital signatures attached to email messages. The authentication process involves several key steps:

1. Key Pair Generation

Domain owners generate a pair of cryptographic keys: a private key stored securely on their email server and a public key published in their DNS records as a TXT record. It's recommended to use at least 1024-bit keys, with many organizations now moving to 2048-bit keys for enhanced security.

2. Message Signing

When an email is sent, the email server creates a hash (digital fingerprint) of specific parts of the message, including headers like "From," "To," "Subject," and the message body. This hash is then encrypted using the private key to create a unique digital signature, which is added to the email's header in the DKIM-Signature field.

3. Verification Process

When the email is received, the recipient's server performs a DNS lookup to retrieve the sender's public key from their domain's DNS records. The receiving server then uses this public key to decrypt the signature and compare it with a new hash it generates from the received message. If the hashes match, the email passes DKIM authentication, confirming both the message's authenticity and integrity.