Click to Sign Up for a 7 Day Free Trial!

Email Development

What is DKIM? Everything You Need to Know About Digital Signatures

Email On Acid

DomainKeys Identified Mail (DKIM) allows senders to associate a domain name with an email message, thus vouching for its authenticity.

This is done by "signing" the email with a digital signature, a field that is added to the message's header. A "signature" is generated by the sending mail transfer agent (MTA) using an algorithm, applied to the content of the signed fields, which creates a unique string of characters, a "hash value." When the signature is generated, the public key used to generate it is stored at the listed domain. After recieving the email, the recipient MTA can verify the DKIM signature by recovering the signer's public key through DNS. It then uses that key to decrypt the hash value in the email's header and simultaneously recalculate the hash value for the mail message it recieved. If these two match, then the email has not been altered. This gives users some security knowing that the email did actually originate from the listed domain, and that it has not been modified since it was sent.

Does DKIM filter email?

No, it doesn't. It does aid filters that have been set up by the recieving domain because of the information it provides. For instance, if the email is from a trusted domain and is successfully verified through DKIM, the email may have its spam score reduced. If the email's DKIM signature cannot be verified (because the email was faked or for another reason), the email might be marked as spam and either be quarantined or have a spam tag added to the subject line (to warn recipients that the email is suspect). Gmail, for instance, does not deliver emails from eBay.com or Paypal.com if the DKIM signature cannot be successfully verified because of the high liklihood that the email is a phishing attack.

How can I test my DKIM?

As part of our spam testing suite, we offer DKIM testing.

You can also test DKIM by sending an email to a Gmail account. Open the email in the Gmail web app, click on the down arrow next to the "Reply" button (top right of email), and select "show original." In the original, if you see "signed-by: your domain name" then your DKIM signature is good.

What result do I want from DKIM?

For the most part, DKIM is binary. Either it is working and your signature can be verified (see "pass" below) or there is some kind of problem. If your signature is working, there's no need to read any further. If you're experiencing errors, the following section may help you diagnose the problem.

How can I read the DKIM header?

Here is an example DKIM signature (recorded as an RFC2822 header field) for the signed message:

DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Let's take this piece by piece to see what it means. Each "tag" is associated with a value.

  • b = the actual digital signature of the contents (headers and body) of the mail message
  • bh = the body hash
  • d = the signing domain
  • s = the selector
  • v = the version
  • a = the signing algorithm
  • c = the canonicalization algorithm(s) for header and body
  • q = the default query method
  • l = the length of the canonicalized part of the body that has been signed
  • t = the signature timestamp
  • x = the expire time
  • h = the list of signed header fields, repeated for fields that occur multiple times

We can see from this email that:

  • The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.
    This signature is matched with the one stored at the sender's domain.
  • The body hash is not listed.
  • The signing domain is example.com.
    This is the domain that sent (and signed) the message.
  • The selector is jun2005.eng.
  • The version is not listed.
  • The signing algorithm is rsa-sha1.
    This is the algorith used to generate the signature.
  • The canonicalization algorithm(s) for header and body are relaxed/simple.
  • The default query method is DNS.
    This is the method used to look up the key on the signing domain.
  • The length of the canonicalized part of the body that has been signed is not listed.
    The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
  • The signature timestamp is 1117574938.
    This is when it was signed.
  • The expire time is 1118006938.
    Because an already signed email can be reused to "fake" the signature, signatures are set to expire.
  • The list of signed header fields includes from:to:subject:date.
    This is the list of fields that have been "signed" to verify that they have not been modified.

What do the results of my EOA DKIM test mean?

The possible results for your DKIM test are:

  • pass = 'The message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests.'
    This is the result you want to see. Everything worked perfectly.
  • fail = 'The message was signed and the signature or signatures were acceptable, but they failed the verification test(s).'
    This means that the message had a signature, and the signature was formed correctly, but didn't match the signature of the sending domain. This probably means the message was modified somewhere along the way.
  • none = 'The message was not signed'
    This means that the message had no DKIM signature. This is not the same as failing.
  • policy = 'The message was signed but the signature or signatures were not acceptable.'
    DKIM can be configured to be more or less stringent in what is an acceptable match. A "policy" error means that the message was signed and correctly formed, but didn't meet the policy requirements of the recipient.
  • neutral = 'The message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed.'
    The message was signed, but it was not formed correctly. This is possibly a configuration error on the sending domain side.
  • temperror = 'The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.'
    This error indicates that there was a short-term problem verifying the signature. Feel free to try again. Repeated problems with this may indicate a DNS or lookup failure on the sending domain.
  • permerror = 'The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result.'
    The signature (or some part of it) was missing from the recieved message, which caused a failure. This indicates that either the header was formed incorrectly or it was modified after being sent.

"If you're havin' DKIM problems I feel bad for you, son..."

Personally, I have just shy of 100 problems, but none of them are DKIM related. Are YOU having DKIM problems? Let us know in the comments below (or jump on our forum) and we'll try to help!

Don't guess, test

Just like making any other changes to your email, making changes to your DKIM signature or modifying how you send emails at all can have an adverse effect on your email rendering. That's why we offer you 7 days free with Email on Acid, start testing today!


About the Author

John Thies

John Thies

John is the man behind the scenes who makes sure everything is running smoothly. He loves all things technology, from programming to tinkering with mobile devices to reading the latest issue of Wired magazine.

Join the Discussion

Thanks for sharing such useful information.
signoirty
Fantastic blog! I’m impressed, I must say. Really rarely do I encounter a blog that’s both informative and entertaining, and let me tell you, you have hit the nail on the head. Your blog is outstanding; the issue is something that not a lot of people are talking intelligently about it. I’m really happy that I stumbled across this in my search for something relating to this.
Digital Signature Certificate
Its a very informative DKIM digital signature.. some point i didn't know before... i m so happy to get this all tips i will keep this all tips in my mind...
Dubai Digital agency dubai
I am glad to find your post, I have a query the
PUBLIC KEY o RSA PRIVATE KEY or placed in cpanel ssh / shell Access because my the get this dkim domainkeys = neutral (no sig)

you please help me
Richard
Thanks for info,
Please let me know how do i implement this in my cpanel of bluehost server...
Suraj
Suraj and Richard,
Sorry, but that's a bit out of our expertise. I only know how to troubleshoot DKIM deliverability problems, not how to implement DKIM. Good luck!
Geoff Phillips
Great post! Thanks for explaining everything so thoroughly -- I was kind of confused before I found this post!
Amber
There is a big problem with legit email discussion lists and Yahoo!'s implementation of DKIM & DMARC.

It's no exaggeration to say this will wreck mailing lists, including ours. We are having to block posting from list members using Yahoo! addresses.

Our list host emwd.com has implemented some cunning workarounds for Mailman, but they damage the usability of the list.

See http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html
Tony Sleep
Hi All,

I have some issues configuring DKIM, when I send a mail to yahoo and check the header get the following error message:"domainkeys=neutral"

Authentication-Results: mta1119.mail.ne1.yahoo.com from=bungalow.eu; domainkeys=neutral (no sig); from=bungalow.eu; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO mail.bungalow.eu) (87.230.58.24)
by mta1119.mail.ne1.yahoo.com with SMTP; Wed, 11 Jun 2014 11:29:14 +0000
dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
d=bungalow.eu; s=mail; a=rsa-sha1;
bh=WKut09KVySEnRbVL4eNskip/ceI=;
b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;

COuld somebody help me?
Istvan Lokodi
i have problems with the dkim signature being reported by an online tester as not valid i have tried different domains but still to no avail can you help
rob
You make some great points and I don't think I could have made them any better. Thanks for the good information !
digital signature FAQ
Good info for anyone setting up an email sending server, great for email marketing too.
Email Marketing Dude
hi
i have problem of when i send small html content then dkim is passed but when i send long html then dkim is nuterial please help me anyone whats the problm is this
thnks..
Vinay Saini
Great post! There's some really great information here. Thanks so much for sharing!
Jacob Neal
I have DKIM setup on our mailserver. All online DKIM signature testing tools, and email main players, all verify the received emails with DKIM=PASS.....all EXCEPT MICROSOFT (outlook, hotmail etc). Always the ones to 'do things against the tide'. Anyone heard of this before or found a solution? (MS definitely on up for explaining why. Ive tried!)
jimimaseye
hey why sometimes we find two dkim signatures !
dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
d=exemple.com; s=mail; a=rsa-sha1;
bh=WKut09KVySEnRbVL4eNskip/ceI=;
b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
d=exemple1.com; s=mail; a=rsa-sha1;
bh=WKut09KVySEnRbVL4eNskip/ceI=;
b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
even we have 1 sender
amine mkou
Using Sever 201, and mail enable. Just cannot get DKIM to work. HAs anybody got advice? Thanks in advance.
Jof Davies
what if a signature does not contain the "t" ans especially the "x" tag !
when will it expire ?
akatsuki
Hi,

I have created a txt record into my DNS and saved the public key for DKIM. Now, where do I need to put my private key. Should it be added into the header of mail message, I am unable to do that? Am I on the wrong way?
Arpit Sharma
Hi Arpit,

As far as I'm aware, as long as you send from the domain where you've set up your DKIM public key, you should be fine!

Let me know how you get on.

Cheers!
Alex Ilhan
@Alex, Means, there is no need to use private keys anywhere?
Arpit Sharma
Hi Arpit

Assuming you have admin rights on your mail server - the private key is set up on the mail server itself. It is used by the server to form the DKIM signature when it hashes the mail body and headers.
Timothy Dutton
Thanks TImothy, I think I have got it so far. I will try this and will thank you again.
Arpit Sharma
Will DKIM work with third part email servers. For example, I send all my email through comcast(labeled as from .(JavaScript must be enabled to view this email address) ) not the KABUSA server. How do I add the DKIM signature to outlook? I just cannot fully understand this.
kevin
You don't add it to outlook. The DKIM signature is added by an outbound mail server. If you're using a third party server, then you need to consider setting up a local mail server which supports DKIM e.g hmailserver and then you set it up to relay the outbound mail through the third party server.
Timothy Dutton
i have problem with DKIM_SIGNED header and DKIM_VALID this header is present.
I didnt done anything for DKIM,why this is comming
sherin

Leave a Comment