What is a DKIM Signature? The Key to Email Authentication
While there are a few different email authentication protocols, only one comes with a super-secret, encrypted digital key. A DKIM signature helps mailbox providers verify you as the sender while preventing phishing attacks known as email spoofing.
Imagine signing an important letter with invisible ink, which makes it clear the message came from you and no one else. That’s essentially what DKIM does. Of course, it’s not quite that simple.
Let’s take a closer look at the protocol that’s officially named DomainKeys Identified Mail.
Why we need DKIM signatures
The opportunity to communicate with people via email is a powerful privilege. Unfortunately, there are cyber criminals out there who want to take advantage of the trust that brands have built with their customers and subscribers.
By impersonating your brand’s emails and web pages, scammers sneak their way into inboxes and trick people into installing malware or giving up sensitive information. That could include bank accounts, credit card numbers, social security numbers, or logins for online accounts. Email spoofing can easily lead to identity theft.
Improving inbox security
Simple Mail Transfer Protocol (SMTP) is the standard used to send emails over the internet. However, SMTP doesn’t include a way to verify a sender before delivering an email. That made it possible for spammers and scammers to fill inboxes with junk and attempt to spoof trustworthy brands.
Over the last couple of decades, authentication protocols have improved email security by connecting information found in an email’s header with records published on the domain name server (DNS) of a sender’s domain.
The DKIM signature represents one of those protocols. It uses an encrypted key to help mailbox providers detect forged sender addresses.
DKIM is actually the combination of DomainKeys, which Yahoo developed, and Cisco’s Identified Internet Mail. The two combined forces in 2004. The DomainKeys portion was designed to verify the DNS domain of an email sender. Identified Internet Mail is the digital signature portion of the specification.
Many major mailbox providers look for DKIM signatures when authenticating emails. That includes Google, Apple Mail, and Outlook
How does a DKIM signature work?
Like other email authentication methods, DKIM lets senders associate a specific domain with their email messages. Records published on the DNS vouch for an email’s authenticity. However, DKIM has a unique way of doing this with an encrypted digital signature.
The DomainKeys in DKIM include a public key published on the DNS record as well as a private key, which is included in an email’s header. That private key is the encrypted digital signature, which should be unique to the sender and match what’s published on the DNS.
A DKIM signature lets mail transfer agents (MTAs) know where to retrieve information on the public key. That’s used to verify the identity of the sender. If the two keys match, mailbox providers are more likely to deliver it to the inbox. If there is no match, or if there’s no DKIM signature at all, the email is more likely to be rejected or filtered into spam.
DKIM itself does not filter emails. However, it helps receiving mail servers decide how to best filter incoming messages. A successful DKIM verification often means a reduced spam score for a message.
Failing DKIM authentication may negatively impact email deliverability. For example, Gmail won’t deliver emails that appear to come from a brand like Paypal unless they pass DKIM authentication. That’s because scammers regularly use Paypal’s brand for email spoofing.
How to read a DKIM header
In order to take advantage of DKIM to protect your brand from spoofing and protect your subscribers from scammers, you’ll need to create a DKIM record and place it on your DNS. This may involve getting some help from the IT department and/or your email service provider (ESP).
Wondering what goes into a DKIM record? Here’s an example DKIM signature (recorded as an RFC2822 header field) for the signed message::
DKIM-Signature a=rsa-sha1; q=dns;
Let’s break down the DKIM header piece by piece. Each “tag” is associated with a value that contains information about the sender.
Tags in a DKIM header
- b = the actual digital signature of the contents (headers and body) of the mail message
- bh = the body hash
- d = the signing domain
- s = the selector
- v = the version
- a = the signing algorithm
- c = the canonicalization algorithm(s) for header and body
- q = the default query method
- l = the length of the canonicalized part of the body that has been signed
- t = the signature timestamp
- x = the expire time
- h = the list of signed header fields, repeated for fields that occur multiple times
NOTE: Tags above that are emphasized are required. DKIM signatures that are missing these tags will produce an error during verification.
We can see from this DKIM header that:
- The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.
This signature is matched with the one stored at the sender’s domain.
- The body hash is not listed.
- The signing domain is example.com.
This is the domain that sent (and signed) the message.
- The selector is jun2005.eng.
- The version is not listed.
- The signing algorithm is rsa-sha1.
This is the algorithm used to generate the signature.
- The canonicalization algorithm(s) for header and body are relaxed/simple.
- The default query method is DNS.
This is the method used to look up the key on the signing domain.
- The length of the canonicalized part of the body that has been signed is not listed.
The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
- The signature timestamp is 1117574938.
This is when it was signed.
- The expire time is 1118006938.
Because an already signed email can be reused to “fake” the signature, signatures are set to expire.
- The list of signed header fields includes from:to:subject:date.
This is the list of fields that have been “signed” to verify that they have not been modified.
That’s a lot of technical info, we know. Luckily, there are tools that help email marketers generate DKIM records. If you’re working with one of Pathwire’s Email Deliverability Experts, you’ll get hands-on help setting up email authentication correctly. In fact, Mailgun by Pathwire requires a verified DKIM key before domains start sending from the platform.
Concerned about email deliverability?
Check out our email deliverability guide! Learn the ins and outs of how to stay out of spam folders make sure your campaigns make it into your subscribers’ inboxes.
DKIM vs. SPF
A close cousin to DKIM is Sender Policy Framework (SPF). The two protocols authenticate senders and help prevent email spoofing in different ways.
While DKIM provides keys authenticating a sender, an SPF record contains an official list of domains/servers that are authorized to send email on behalf of a particular domain. This would include your ESP. So, it’s important to update your SPF record when you switch ESPs. If a domain that’s not in your SPF tries to send email from your brand, mailbox providers may reject it or send it to the junk folder.
Both SPF and DKIM have strengths and weaknesses. For example, a downside of SPF is that it breaks during email forwarding. But the DKIM signature does not. A DKIM signature can be faked, however, which is why it’s best practice to change or rotate your keys on a consistent basis – at least once or twice per year.
The good news is you don’t have to choose between SPF vs DKIM. These protocols are not competitors. In fact, your email authentication will be stronger if you use them both.
Once you have DKIM and SPF in place, a DMARC policy tells mailbox providers what to do with emails that fail authentication. And, once you have DMARC working, you can implement BIMI.
That’s like the icing on the cake. BIMI adds your brand’s logo next to messages in the inbox. So, subscribers have a visual cue letting them know the email can be trusted.
How to verify a DKIM signature
DNS records and DKIM signatures can get complicated. If you want to be sure your email authentication protocols are set up correctly, there are online tools that can help verify that.
Here are a few tools to try for DKIM verification:
When you use Email on Acid’s standalone Spam Testing (legacy), there is an option to run tests that check to see if your emails will pass SPF and DKIM authentication. (Not currently available with Campaign Precheck)
You can also test DKIM by sending an email to a Gmail account. Open the email in the Gmail web app, click on the down arrow next to the “reply” button (top right of email), and select “show original.” In the original, if you see “signed-by: your domain name” then your DKIM signature is good.
Improve deliverability before you hit send
There are a lot of good reasons to implement email authentication protocols. At the top of the list is improving deliverability. Without email authentication in place, mailbox providers are more likely to filter your messages into junk mail and spam folders.
With Email on Acid, you’ll get email deliverability insights before you hit send. That’s way better than finding out your campaign was marked as spam after you’ve already launched it. Validate your email against more than 20 popular spam filters and monitor blocklists using our state-of-the-art email pre-deployment platform.
Beyond deliverability, Email on Acid helps marketers run content checks, improve accessibility, and preview campaigns on 90+ email clients and devices. Take advantage of our free trial and start delivering email perfection!
Improve Deliverability to Hit More Inboxes!
Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.
Author: The Email on Acid Team
The Email on Acid content team is made up of digital marketers, content creators, and straight-up email geeks. Connect with us on LinkedIn, follow us on Facebook, and tweet at @EmailonAcid on Twitter for more sweet stuff and great convos on email marketing.