An email authentication method designed to detect email spoofing. It provides a mechanism for receiving mail exchangers to verify that incoming mail from a domain is authorized by that domain’s administrators. A digital signature is attached to the email, and the recipient validates it using a public key published in the sender’s DNS.
Formal Specifications
- RFC 6376: The primary technical specification defining the DKIM protocol.
- Cryptographic Standard: Typically utilizes RSA or Ed25519 signatures combined with SHA-256 hashing.
DKIM Functionality
DKIM operates through a three-step cryptographic process:
To provide a comprehensive reference, here is the functional breakdown of DomainKeys Identified Mail (DKIM) with the technical examples integrated into the workflow.
DKIM Functionality & Technical Reference
DKIM operates as a cryptographic handshake that proves an email’s origin and ensures its content remained unaltered during transit.
1. The Signing Phase (Private Key)
Before an email leaves the sender’s server, the system generates a digital signature. It selects specific headers (like From and Subject) and the message body to create a unique hash. This hash is encrypted using a Private Key kept secret on the server. The result is the DKIM-Signature Header attached to the email:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=jan24; h=from:subject:date; bh=j9Uv8Lq5S7D...; b=N7qWzX9yP2r5T...2. The Publication Phase (DNS Record)
For a recipient to verify the signature, the sender must “publish” the matching Public Key. This is stored in the domain’s DNS settings as a TXT record. The Selector (s=) in the email header tells the recipient exactly where to look in the DNS to find this key. Example DNS TXT Record:
Host: jan24._domainkey.example.com
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA75...3. The Verification Phase (Public Key)
When the receiving server gets the email, it performs the following logic:
- Retrieve: It looks up the Public Key in the DNS using the domain ($d=$) and selector ($s=$).
- Decrypt: It uses that Public Key to decrypt the signature ($b=$), revealing the original hash.
- Compare: It re-hashes the received email. If the hashes match, the message is authentic.
The server then records the outcome in the Authentication-Results header:
Authentication-Results: mx.google.com; dkim=pass header.i=@example.com header.s=jan24Mathematical Validation
The technical integrity of the Pass result relies on this equality:
Loading formula...
If the email was tampered with, the HashReceived will change, the equation will fail, and the email will likely be sent to the spam folder.
DKIM Importance
- Integrity: Ensures the message content (headers and body) has not been modified in transit.
- Authenticity: Links a domain name to an email message, providing legal and technical accountability.
- Deliverability: Verified emails are less likely to be flagged as spam or phishing by major Inbox Service Providers (ISPs).
- DMARC Dependency: Acts as one of the two foundational pillars (alongside SPF) required for a DMARC (Domain-based Message Authentication, Reporting, and Conformance) pass.
DKIM Limitations
- No Encryption: DKIM does not encrypt email content for privacy; it only signs it for authenticity.
- Replay Attacks: If a signed message is captured, it can be re-sent multiple times without breaking the signature unless additional expiration tags (
t=,x=) are strictly enforced. - Forwarding Issues: Traditional email forwarding can sometimes break DKIM signatures if the intermediate server modifies the message headers or footer.
