DKIM Signature

What is a DKIM Signature? The Key to Email Authentication

30

While there are a few different email authentication protocols, only one comes with a super-secret, encrypted digital key. A DKIM signature helps mailbox providers verify you as the sender while preventing phishing attacks known as email spoofing.

Imagine signing an important letter with invisible ink, which makes it clear the message came from you and no one else. That’s essentially what DKIM does. Of course, it’s not quite that simple.

Let’s take a closer look at the protocol that’s officially named DomainKeys Identified Mail.

Why we need DKIM signatures

The opportunity to communicate with people via email is a powerful privilege. Unfortunately, there are cyber criminals out there who want to take advantage of the trust that brands have built with their customers and subscribers.

By impersonating your brand’s emails and web pages, scammers sneak their way into inboxes and trick people into installing malware or giving up sensitive information. That could include bank accounts, credit card numbers, social security numbers, or logins for online accounts. Email spoofing can easily lead to identity theft.

Improving inbox security

Simple Mail Transfer Protocol (SMTP) is the standard used to send emails over the internet. However, SMTP doesn’t include a way to verify a sender before delivering an email. That made it possible for spammers and scammers to fill inboxes with junk and attempt to spoof trustworthy brands.

Over the last couple of decades, authentication protocols have improved email security by connecting information found in an email’s header with records published on the domain name server (DNS) of a sender’s domain.

The DKIM signature represents one of those protocols. It uses an encrypted key to help mailbox providers detect forged sender addresses.

DKIM is actually the combination of DomainKeys, which Yahoo developed, and Cisco’s Identified Internet Mail. The two combined forces in 2004. The DomainKeys portion was designed to verify the DNS domain of an email sender. Identified Internet Mail is the digital signature portion of the specification.

Many major mailbox providers look for DKIM signatures when authenticating emails. That includes Google, Apple Mail, and Outlook

How does a DKIM signature work?

Like other email authentication methods, DKIM lets senders associate a specific domain with their email messages. Records published on the DNS vouch for an email’s authenticity. However, DKIM has a unique way of doing this with an encrypted digital signature.

The DomainKeys in DKIM include a public key published on the DNS record as well as a private key, which is included in an email’s header. That private key is the encrypted digital signature, which should be unique to the sender and match what’s published on the DNS.

How DKIM signatures work
Click to view a larger image

A DKIM signature lets mail transfer agents (MTAs) know where to retrieve information on the public key. That’s used to verify the identity of the sender. If the two keys match, mailbox providers are more likely to deliver it to the inbox. If there is no match, or if there’s no DKIM signature at all, the email is more likely to be rejected or filtered into spam.

DKIM itself does not filter emails. However, it helps receiving mail servers decide how to best filter incoming messages. A successful DKIM verification often means a reduced spam score for a message.

Failing DKIM authentication may negatively impact email deliverability. For example, Gmail won’t deliver emails that appear to come from a brand like Paypal unless they pass DKIM authentication. That’s because scammers regularly use Paypal’s brand for email spoofing.

How to read a DKIM header

In order to take advantage of DKIM to protect your brand from spoofing and protect your subscribers from scammers, you’ll need to create a DKIM record and place it on your DNS. This may involve getting some help from the IT department and/or your email service provider (ESP).

Wondering what goes into a DKIM record? Here’s an example DKIM signature (recorded as an RFC2822 header field) for the signed message::

DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Let’s break down the DKIM header piece by piece. Each “tag” is associated with a value that contains information about the sender.

Tags in a DKIM header

  • b = the actual digital signature of the contents (headers and body) of the mail message
  • bh = the body hash
  • d = the signing domain
  • s = the selector
  • v = the version
  • a = the signing algorithm
  • c = the canonicalization algorithm(s) for header and body
  • q = the default query method
  • l = the length of the canonicalized part of the body that has been signed
  • t = the signature timestamp
  • x = the expire time
  • h = the list of signed header fields, repeated for fields that occur multiple times

NOTE: Tags above that are emphasized are required. DKIM signatures that are missing these tags will produce an error during verification.

We can see from this DKIM header that:

  1. The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.
    This signature is matched with the one stored at the sender’s domain.
  2. The body hash is not listed.
  3. The signing domain is example.com.
    This is the domain that sent (and signed) the message.
  4. The selector is jun2005.eng.
  5. The version is not listed.
  6. The signing algorithm is rsa-sha1.
    This is the algorithm used to generate the signature.
  7. The canonicalization algorithm(s) for header and body are relaxed/simple.
  8. The default query method is DNS.
    This is the method used to look up the key on the signing domain.
  9. The length of the canonicalized part of the body that has been signed is not listed.
    The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
  10. The signature timestamp is 1117574938.
    This is when it was signed.
  11. The expire time is 1118006938.
    Because an already signed email can be reused to “fake” the signature, signatures are set to expire.
  12. The list of signed header fields includes from:to:subject:date.
    This is the list of fields that have been “signed” to verify that they have not been modified.

That’s a lot of technical info, we know. Luckily, there are tools that help email marketers generate DKIM records. If you’re working with one of Pathwire’s Email Deliverability Experts, you’ll get hands-on help setting up email authentication correctly. In fact, Mailgun by Pathwire requires a verified DKIM key before domains start sending from the platform.

delivery truck with email envelope on the side.

Concerned about email deliverability?

Check out our email deliverability guide! Learn the ins and outs of how to stay out of spam folders make sure your campaigns make it into your subscribers’ inboxes.

DKIM vs. SPF

A close cousin to DKIM is Sender Policy Framework (SPF). The two protocols authenticate senders and help prevent email spoofing in different ways.

While DKIM provides keys authenticating a sender, an SPF record contains an official list of domains/servers that are authorized to send email on behalf of a particular domain. This would include your ESP. So, it’s important to update your SPF record when you switch ESPs. If a domain that’s not in your SPF tries to send email from your brand, mailbox providers may reject it or send it to the junk folder.

Both SPF and DKIM have strengths and weaknesses. For example, a downside of SPF is that it breaks during email forwarding. But the DKIM signature does not. A DKIM signature can be faked, however, which is why it’s best practice to change or rotate your keys on a consistent basis – at least once or twice per year.

The good news is you don’t have to choose between SPF vs DKIM. These protocols are not competitors. In fact, your email authentication will be stronger if you use them both.

Once you have DKIM and SPF in place, a DMARC policy tells mailbox providers what to do with emails that fail authentication. And, once you have DMARC working, you can implement BIMI.

That’s like the icing on the cake. BIMI adds your brand’s logo next to messages in the inbox. So, subscribers have a visual cue letting them know the email can be trusted.

How to verify a DKIM signature

DNS records and DKIM signatures can get complicated. If you want to be sure your email authentication protocols are set up correctly, there are online tools that can help verify that.

Here are a few tools to try for DKIM verification:

When you use Email on Acid’s standalone Spam Testing (legacy), there is an option to run tests that check to see if your emails will pass SPF and DKIM authentication. (Not currently available with Campaign Precheck)

You can also test DKIM by sending an email to a Gmail account. Open the email in the Gmail web app, click on the down arrow next to the “reply” button (top right of email), and select “show original.” In the original, if you see “signed-by: your domain name” then your DKIM signature is good.

Improve deliverability before you hit send

There are a lot of good reasons to implement email authentication protocols. At the top of the list is improving deliverability. Without email authentication in place, mailbox providers are more likely to filter your messages into junk mail and spam folders.

With Email on Acid, you’ll get email deliverability insights before you hit send. That’s way better than finding out your campaign was marked as spam after you’ve already launched it. Validate your email against more than 20 popular spam filters and monitor blocklists using our state-of-the-art email pre-deployment platform.

Beyond deliverability, Email on Acid helps marketers run content checks, improve accessibility, and preview campaigns on 90+ email clients and devices. Take advantage of our free trial and start delivering email perfection!

Improve Deliverability to Hit More Inboxes!

Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.

Start a Free Trial

Author: The Email on Acid Team

The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks.

Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.

Author: The Email on Acid Team

The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks.

Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.

30 thoughts on “What is a DKIM Signature? The Key to Email Authentication”

  1. Fantastic blog! I’m impressed, I must say. Really rarely do I encounter a blog that’s both informative and entertaining, and let me tell you, you have hit the nail on the head. Your blog is outstanding; the issue is something that not a lot of people are talking intelligently about it. I’m really happy that I stumbled across this in my search for something relating to this.

  2. Its a very informative DKIM digital signature.. some point i didn’t know before… i m so happy to get this all tips i will keep this all tips in my mind…

  3. I am glad to find your post, I have a query the
    PUBLIC KEY o RSA PRIVATE KEY or placed in cpanel ssh / shell Access because my the get this dkim domainkeys = neutral (no sig)

    you please help me

  4. Suraj and Richard,
    Sorry, but that’s a bit out of our expertise. I only know how to troubleshoot DKIM deliverability problems, not how to implement DKIM. Good luck!

  5. Great post! Thanks for explaining everything so thoroughly — I was kind of confused before I found this post!

  6. There is a big problem with legit email discussion lists and Yahoo!’s implementation of DKIM & DMARC.

    It’s no exaggeration to say this will wreck mailing lists, including ours. We are having to block posting from list members using Yahoo! addresses.

    Our list host emwd.com has implemented some cunning workarounds for Mailman, but they damage the usability of the list.

    See http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html

  7. Hi All,

    I have some issues configuring DKIM, when I send a mail to yahoo and check the header get the following error message:”domainkeys=neutral”

    Authentication-Results: mta1119.mail.ne1.yahoo.com from=bungalow.eu; domainkeys=neutral (no sig); from=bungalow.eu; dkim=pass (ok)
    Received: from 127.0.0.1 (EHLO mail.bungalow.eu) (87.230.58.24)
    by mta1119.mail.ne1.yahoo.com with SMTP; Wed, 11 Jun 2014 11:29:14 +0000
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=bungalow.eu; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;

    COuld somebody help me?

  8. i have problems with the dkim signature being reported by an online tester as not valid i have tried different domains but still to no avail can you help

  9. You make some great points and I don’t think I could have made them any better. Thanks for the good information !

  10. Good info for anyone setting up an email sending server, great for email marketing too.

  11. hi
    i have problem of when i send small html content then dkim is passed but when i send long html then dkim is nuterial please help me anyone whats the problm is this
    thnks..

  12. I have DKIM setup on our mailserver. All online DKIM signature testing tools, and email main players, all verify the received emails with DKIM=PASS…..all EXCEPT MICROSOFT (outlook, hotmail etc). Always the ones to ‘do things against the tide’. Anyone heard of this before or found a solution? (MS definitely on up for explaining why. Ive tried!)

  13. hey why sometimes we find two dkim signatures !
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=exemple.com; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
    dkim-signature:v=1; c=relaxed/relaxed; h=from:to:subject:date:message-id:mime-version:content-type;
    d=exemple1.com; s=mail; a=rsa-sha1;
    bh=WKut09KVySEnRbVL4eNskip/ceI=;
    b=jhUK6L1apOTAkrzYm2BmK9igx+uiSKcJw9/fttWiZWZX8rDPdXyEOmCJdt21BSZ/0
    PzxdcSBZedryzcdDH66V3kr40p+7dPPLrsljEAe4BJBZlAJh4wXS9pp4YVXGfu0kagP
    wJGVrMmQMnX0UcpyITogGt4hR9cClHx14/UNYaY=;
    even we have 1 sender

    1. Hey Amine!
      If you see 2 DKIM signatures – that means, that multiple domains are used to send through one single infrastructure, that is why there’s a signature for child domain reffered in SPF and mother domain (probably service one), which is revealed during sending.

      In most cases it means, that actual domain (example1.com) have to be linked in terms of domain reputation and recognition as 1 infrastructure.
      This approach is commonly used by ESPs to let ISP know ,that infrastructure belongs to mother domain without additional reverse lookup. It helps ISP to collect domain based reputation metrics more precisely. Some ISPs allow to collect postmaster data and FBLs , based on the Double dkim signature as a kind of authorization, since it’s relevant for various domains ESP customers use.

  14. Using Sever 201, and mail enable. Just cannot get DKIM to work. HAs anybody got advice? Thanks in advance.

  15. what if a signature does not contain the “t” ans especially the “x” tag !
    when will it expire ?

  16. Hi,

    I have created a txt record into my DNS and saved the public key for DKIM. Now, where do I need to put my private key. Should it be added into the header of mail message, I am unable to do that? Am I on the wrong way?

  17. Hi Arpit,

    As far as I’m aware, as long as you send from the domain where you’ve set up your DKIM public key, you should be fine!

    Let me know how you get on.

    Cheers!

  18. Hi Arpit

    Assuming you have admin rights on your mail server – the private key is set up on the mail server itself. It is used by the server to form the DKIM signature when it hashes the mail body and headers.

  19. Will DKIM work with third part email servers. For example, I send all my email through comcast(labeled as from info@kabusa.com ) not the KABUSA server. How do I add the DKIM signature to outlook? I just cannot fully understand this.

  20. You don’t add it to outlook. The DKIM signature is added by an outbound mail server. If you’re using a third party server, then you need to consider setting up a local mail server which supports DKIM e.g hmailserver and then you set it up to relay the outbound mail through the third party server.

  21. i have problem with DKIM_SIGNED header and DKIM_VALID this header is present.
    I didnt done anything for DKIM,why this is comming

    1. Hi Jorge –
      Yes – it’s still a good idea to configure DKIM for a dedicated host server. It’s not something you absolutely need, but it certainly won’t hurt and could help in sending email from the server.
      Thanks for reading!

Comments are closed.