This is part 6 of an 8 part series on Email Authentication, to go to part one click here.

DomainKeys Identifed Mail (DKIM)

DomainKeys Identified Mail (DKIM) is the successor to Yahoo DomainKeys. Being very similar in functionality to DomainKeys, DKIM has additionally adopted aspects from Cisco’s Identified Internet Mail standard (IIM), and the result has been an enhanced standard that provides more flexibility and security than its predecessor. Some of the differences between DomainKeys and DKIM include:

  • Multiple signature algorithms (as opposed to just one available with DomainKeys)
  • More options with regard to canonicalization, that validates both header and body
  • The ability to delegate signing to third parties
  • The ability for DKIM to self-sign the DKIM-Signature header field – to protect against its being modified
  • The ability for wildcard option on some parameters
  • The ability to support signature timeouts in DNS

DKIM Message Configuration and Signing

DKIM message signing is very similar to DomainKey signatures. There are a number of extra tags available that authenticate different aspects of an email message.

Consider the following sample email and accompanying DKIM signature:

DKIM-Signature:v=1; a=rsa-sha256;; s=v1; c=simple/simple;
q=dns/txt; [email protected]; t=1231537955;
Received: from []; Fri, 09 Jan 2009 13:52:35 -0800
Date: Fri, 9 Jan 2009 13:52:30 -0800 (PST)
From: Example-Announce 
Reply-to: [email protected]
To: [email protected]
Message-ID: <[email protected]>
Subject: January Announcements

Note that there are tags that are seen in a DomainKey signature, as well as some additional tags only used by DKIM. Following is a description of the tags used in the above example:

v = The version of the DKIM specification being used to sign the message.

a = The algorithm used to generate the signature.

d = The domain of the signing entity.

s = The selector used in the public key.

c = The canonicalization algorithm – or the method by which the headers and content are prepared for presentation to the signing algorithm.

q = The query method(s) used to retrieve the public key.

i = The identity of the user or agent (e.g., a third party) on behalf of which this message is signed.

t = Signature timestamp. The format is UNIX time format.

h = A colon-separated list of header field names that identify the headers in the email message. The values in this tag MUST contain the complete list of headers in the order presented to the signing algorithm.

bh = The hash of the canonicalized body part of the message.

b = The signature data or public key, encoded as a Base64 string.

Verifying DomainKeys

Verification of DKIM signed email messages is done in virtually the same fashion as with messages signed with DomainKeys.

>>Continue on to The Complete Guide to Email Authentication, Part 7