DKIM Signature

What is DKIM for Email Authentication and How Does it Work?

30

There are hundreds of millions of email phishing attacks every year. Some of those fraudulent emails could be from scammers and spammers who are trying to impersonate your brand. And those attacks are becoming more sophisticated. So, what can senders do to help stop it?

The best way to prevent this from happening to your subscribers? Set up rigorous email authentication protocols: SPF, BIMI, DMARC, and DKIM.

Of these four email authentication standards, only one comes with a super-secret, encrypted digital key. That’s DomainKeys Identified Mail, or DKIM for short. A DKIM signature helps mailbox providers verify you as the sender while preventing phishing attacks known as email spoofing.

Imagine signing an important letter with invisible ink, which makes it clear the message came from you and no one else. That’s essentially what DKIM does. Of course, it’s not quite that simple. Here’s how DKIM works, and what you need to know to implement it for your email marketing program:

What is a DKIM signature?

DKIM, or DomainKeys Identified Mail, is an email authentication protocol that creates a digital signature that mailbox providers use to verify the identity of an email sender. A mailbox provider connects the DKIM signature, found in an email’s header, with records published on the domain name server (DNS) of a sender’s domain. This provides an encrypted key to help mailbox providers detect forged sender addresses. All major mailbox providers look for DKIM signatures when authenticating emails, including Google, Apple Mail, and Outlook.

Created in 2004, DKIM combined two methods designed to prevent email forgery: Yahoo’s “DomainKeys” and Cisco’s “Identified Internet Mail.” The DomainKeys portion was designed to verify the DNS domain of an email sender. Identified Internet Mail is the digital signature portion of the specification.

DKIM adds another layer of protection to the standard practice of SMTP, or Simple Mail Transfer Protocol. While SMTP is frequently used, it doesn’t include a way to verify a sender before delivering an email. That made it possible for spammers and scammers to fill inboxes with junk and attempt to spoof trustworthy brands.

What does DKIM do and how does it work? 

Essentially, when you set up a DKIM, you’re telling internet service providers (ISPs) that your ESP is sending mail from an authorized system and that it is not spam or spoofing. Like other email authentication methods, DKIM lets senders associate a specific domain with their email messages. Records published on the DNS vouch for an email’s authenticity. 

However, DKIM has a unique way of doing this with an encrypted digital signature:

  • A public key published on the DNS txt record 
  • A private key included in the email header. That private key is the encrypted digital signature, which should be unique to the sender and match what’s published on the DNS.

When the two DKIM keys match, mailbox providers verify the identity of the sender and the message goes through to the inbox. If the key pair does not match, or if there is no DKIM signature detected by the email provider, it’s more likely that the email will be rejected or filtered into the spam folder. 

Flowchart of how DKIM signatures work

DKIM itself does not filter emails. However, it helps the receiving mail servers decide how to best filter incoming messages. A successful DKIM verification often means a reduced spam score for a message.

That’s why setting up DKIM authentication is so important for email deliverability — without this and other authentication protocols that confirm your email security, providers like Gmail won’t deliver emails that appear to come from a brand like Microsoft, PayPal, or Bank of America, because scammers regularly use these kinds of brands for email spoofing.

A DKIM signature vs. SPF authentication

What’s the difference between a DKIM signature and SPF authentication? These two protocols are simply two different ways to authenticate senders and prevent email spoofing, but a strong email security program uses both.

  • A DKIM signature uses keys to authenticate a sender, matching the private key in the individual email with the known public key from that sender in the DNS record
  • An SPF record, or sender policy framework, contains an official list of domains and servers authorized to send email on behalf of a particular domain, including your email service provider (ESP) and the domain owner. That could include yourname@example.com, but also hello@example.com, customersupport@example.com, and so on. If a domain that’s not in your SPF tries to send email from your brand, mailbox providers may reject it or send it to the junk folder.

Both SPF and DKIM have strengths and weaknesses. For example, a downside of SPF is that it breaks during email forwarding, but the DKIM signature does not. A DKIM signature can be faked, however, which is why it’s best practice to change or rotate your keys on a consistent basis – at least once or twice per year.

Adding DMARC to the mix

Once you have DKIM and SPF in place, a DMARC policy tells mailbox providers what to do with emails that fail authentication. This policy, also known as Domain-based Message Authentication, Reporting, and Conformance, checks for DKIM and SPF alignment, creating a common framework for mailbox providers to use in the DNS record. For example, if an email fails one or the other (there are various reasons this might occur), DMARC makes it more clear for a mailbox provider to know what to

For many people, missing an important, legitimate email is even worse than letting spam get through to their inbox. Real emails can sometimes fail DKIM and SPF authentication for various reasons. So, mailbox providers may let emails through if they don’t pass the test but appear to come from a legit sending domain. DMARC makes it more clear what to do.

What does a DKIM record look like?

Implementing a DKIM signature requires making changes to the code in your email header and adding a txt record to your domain name system (DNS) server. Here’s a closer look at those two pieces:

The DKIM record

In order to take advantage of DKIM to protect your brand from spoofing and protect your subscribers from scammers, you’ll need to create a DKIM record and place it on your DNS txt record and publish it on the domain name server. This may involve getting some help from the IT department and/or your email service provider (ESP). ​​Here’s an example of a DNS record: 

dk1024-2012._domainkey.example.com TXT "v=DKIM1; t=y; k=rsa;
p=MIGfMA0GCSqGSiuTHjQWercnvEr54A2CA;"

Here’s a breakdown of the sample DNS TXT record for a DKIM signature:

• v= The version of the protocol used

• t= This optional tag indicates the sending domain is testing DKIM

• k= The key type, which is usually rsa

• p= The public key, which pairs with the encrypted DKIM signature

The only required tag in the DNS record is the public key (p=). The DKIM record also includes the sending domain and the DKIM selector, the latter of which is a name or number the sender uses to tell receiving mail servers where to find the private key. The DKIM signature header gets added to email messages and includes the information receiving mail servers need to verify the authenticity of a message.

How to read a DKIM header

Then, you need to create the DKIM header, which is the code inserted into the header of every single email you send, and which is what contains the public key. 

These two pieces together make up the DKIM signature.

Let’s put it all together. Here’s an example DKIM signature (recorded as an RFC2822 header field) for the signed message:

DKIM-Signature a=rsa-sha1; q=dns;

d=example.com;

i=user@eng.example.com;

s=jun2005.eng; c=relaxed/simple;

t=1117574938; x=1118006938;

h=from:to:subject:date;

b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb

av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Tags in a DKIM signature header

  • b = the actual digital signature of the contents (headers and body) of the mail message
  • bh = the body hash
  • d = the signing domain
  • s = the selector
  • v = the version
  • a = the signing algorithm
  • c = the canonicalization algorithm(s) for header and body
  • q = the default query method
  • l = the length of the canonicalized part of the body that has been signed
  • t = the signature timestamp
  • x = the expire time
  • h = the list of signed header fields, repeated for fields that occur multiple times

NOTE: Tags above that are emphasized are required. DKIM signatures that are missing these tags will produce an error during verification.

We can see from this DKIM header that:

  1. The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.
    This signature is matched with the one stored at the sender’s domain.
  2. The body hash is not listed.
  3. The signing domain is example.com.
    This is the domain that sent (and signed) the message.
  4. The selector is jun2005.eng.
  5. The version is not listed.
  6. The signing algorithm is rsa-sha1.
    This is the algorithm used to generate the signature.
  7. The canonicalization algorithm(s) for header and body are relaxed/simple.
  8. The default query method is DNS.
    This is the method used to look up the key on the signing domain.
  9. The length of the canonicalized part of the body that has been signed is not listed.
    The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
  10. The signature timestamp is 1117574938.
    This is when it was signed.
  11. The expire time is 1118006938.
    Because an already signed email can be reused to “fake” the signature, signatures are set to expire.
  12. The list of signed header fields includes from:to:subject:date.
    This is the list of fields that have been “signed” to verify that they have not been modified.

One important consideration for DKIM authentication is the need to periodically change or rotate your DKIM keys. Just like updating a password for account login, DKIM key rotation helps keep the authentication protocol secure. In some cases, DKIM information is accidentally exposed, which could cause security concerns.

How do you set up and check DKIM?

DKIM setup is one of the most technical aspects of email deliverability and can require help from your web host providers, email service providers, or your IT department to configure it correctly. However, there’s good news — it’s much easier to verify your DKIM keys than it is to set them up in the first place. And trust us, doing this work goes a long way toward helping your email deliverability.

The particulars of your DKIM setup vary based on your hosting provider, so be sure to contact them for specifics. Take a look at these common provider documents for more details:

How to verify a DKIM signature

DNS records and DKIM signatures can get complicated. If you want to be sure your email authentication protocols are set up correctly, there are online tools that can help verify that.

Here are a few tools to try for DKIM verification:

You can also test DKIM by sending an email to a Gmail account. Open the email in the Gmail web app, click on the down arrow next to the “reply” button (top right of email), and select “show original.” In the original, if you see “signed-by: your domain name” then your DKIM signature is good.

Does DKIM improve deliverability? 

Like most things in email, the answer is “it depends.”

Yes, adding DKIM authentication (and SPF, for that matter) improves your overall sender reputation and can make it much more likely for providers to send your email to the inbox. But the case for using DKIM is more about what happens if you fail to use it. Without it, you’re much more likely to get flagged as spam — and of course, it’s a lot easier for scammers to spoof your emails, which negatively impacts not just your deliverability but your brand trust, too.

Take control of email deliverability 

Strong authentication is the foundation of great email deliverability. Making sure you have your authentication protocols in place is essential — but it’s not a fail-safe. Deliverability is a notoriously fickle aspect of email marketing that requires constant upkeep. That’s why we’ve created InboxReady by Sinch, a suite of deliverability tools and services that help take the complexity out of email deliverability. That means more of your awesome emails will make it to the inboxes of people you want to reach.

Improve Deliverability to Hit More Inboxes!

Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Sinch Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.

Start a Free Trial

Author: The Email on Acid Team

The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks.

Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.

Author: The Email on Acid Team

The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks.

Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.

30 thoughts on “What is DKIM for Email Authentication and How Does it Work?”

  1. Fantastic blog! I’m impressed, I must say. Really rarely do I encounter a blog that’s both informative and entertaining, and let me tell you, you have hit the nail on the head. Your blog is outstanding; the issue is something that not a lot of people are talking intelligently about it. I’m really happy that I stumbled across this in my search for something relating to this.

  2. Its a very informative DKIM digital signature.. some point i didn’t know before… i m so happy to get this all tips i will keep this all tips in my mind…

  3. I am glad to find your post, I have a query the
    PUBLIC KEY o RSA PRIVATE KEY or placed in cpanel ssh / shell Access because my the get this dkim domainkeys = neutral (no sig)

    you please help me

  4. Thanks for info,
    Please let me know how do i implement this in my cpanel of bluehost server…

  5. Suraj and Richard,
    Sorry, but that’s a bit out of our expertise. I only know how to troubleshoot DKIM deliverability problems, not how to implement DKIM. Good luck!

  6. Great post! Thanks for explaining everything so thoroughly — I was kind of confused before I found this post!

  7. There is a big problem with legit email discussion lists and Yahoo!’s implementation of DKIM & DMARC.

    It’s no exaggeration to say this will wreck mailing lists, including ours. We are having to block posting from list members using Yahoo! addresses.

    Our list host emwd.com has implemented some cunning workarounds for Mailman, but they damage the usability of the list.

    See http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html

  8. Hi All,

    I have some issues configuring DKIM, when I send a mail to yahoo and check the header get the following error message:”domainkeys=neutral”

    Authentication-Results: mta1119.mail.ne1.yahoo.com from=bungalow.eu; domainkeys=neutral (no sig); from=bungalow.eu; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO mail.bungalow.eu) (87.230.58.24)
    by mta1119.mail.ne1.yahoo.com with SMTP; Wed, 11 Jun 2014 11:29:14 +0000
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=bungalow.eu; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;

    COuld somebody help me?

  9. i have problems with the dkim signature being reported by an online tester as not valid i have tried different domains but still to no avail can you help

  10. You make some great points and I don’t think I could have made them any better. Thanks for the good information !

  11. Good info for anyone setting up an email sending server, great for email marketing too.

  12. hi
    i have problem of when i send small html content then dkim is passed but when i send long html then dkim is nuterial please help me anyone whats the problm is this
    thnks..

  13. I have DKIM setup on our mailserver. All online DKIM signature testing tools, and email main players, all verify the received emails with DKIM=PASS…..all EXCEPT MICROSOFT (outlook, hotmail etc). Always the ones to ‘do things against the tide’. Anyone heard of this before or found a solution? (MS definitely on up for explaining why. Ive tried!)

  14. hey why sometimes we find two dkim signatures !
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=exemple.com; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=exemple1.com; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
    even we have 1 sender

    1. Hey Amine!
      If you see 2 DKIM signatures – that means, that multiple domains are used to send through one single infrastructure, that is why there’s a signature for child domain reffered in SPF and mother domain (probably service one), which is revealed during sending.

      In most cases it means, that actual domain (example1.com) have to be linked in terms of domain reputation and recognition as 1 infrastructure.
      This approach is commonly used by ESPs to let ISP know ,that infrastructure belongs to mother domain without additional reverse lookup. It helps ISP to collect domain based reputation metrics more precisely. Some ISPs allow to collect postmaster data and FBLs , based on the Double dkim signature as a kind of authorization, since it’s relevant for various domains ESP customers use.

  15. Using Sever 201, and mail enable. Just cannot get DKIM to work. HAs anybody got advice? Thanks in advance.

  16. what if a signature does not contain the “t” ans especially the “x” tag !
    when will it expire ?

  17. Hi,

    I have created a txt record into my DNS and saved the public key for DKIM. Now, where do I need to put my private key. Should it be added into the header of mail message, I am unable to do that? Am I on the wrong way?

  18. Hi Arpit,

    As far as I’m aware, as long as you send from the domain where you’ve set up your DKIM public key, you should be fine!

    Let me know how you get on.

    Cheers!

  19. Hi Arpit

    Assuming you have admin rights on your mail server – the private key is set up on the mail server itself. It is used by the server to form the DKIM signature when it hashes the mail body and headers.

  20. Will DKIM work with third part email servers. For example, I send all my email through comcast(labeled as from info@kabusa.com ) not the KABUSA server. How do I add the DKIM signature to outlook? I just cannot fully understand this.

  21. You don’t add it to outlook. The DKIM signature is added by an outbound mail server. If you’re using a third party server, then you need to consider setting up a local mail server which supports DKIM e.g hmailserver and then you set it up to relay the outbound mail through the third party server.

  22. i have problem with DKIM_SIGNED header and DKIM_VALID this header is present.
    I didnt done anything for DKIM,why this is comming

    1. Hi Jorge –
      Yes – it’s still a good idea to configure DKIM for a dedicated host server. It’s not something you absolutely need, but it certainly won’t hurt and could help in sending email from the server.
      Thanks for reading!

Comments are closed.