What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication mechanism that allows the recipient mail server to check if a message has been altered during transit. This is done by the recipient server, checking and verifying an encrypted signature left on the message by the sending server to ensure the message arrived in the same form that it was sent.
How does DKIM Work?
DKIM is an open standard similar to SPF that helps combat malicious actors from spamming, spoofing, and phishing. In its simplest form, DKIM is an authentication protocol that helps ensure the email received is the same as the email that was sent by the sender. This is accomplished when the sending server leaves an encrypted signature on the message that is checked by the recipient server. It’s important to protect against and check for any signs of DKIM abuse like DKIM replay attacks.
DKIM Message Configuration and Signature
DKIM message signing is very similar to DomainKey signatures. There are a number of extra tags available that authenticate different aspects of an email message.
Consider the following sample email and accompanying DKIM signature:
DKIM-Signature:v=1; a=rsa-sha256; d=example.net; s=v1; c=simple/simple; q=dns/txt; [email protected]; t=1231537955; h=Received:Date:From:Reply-to:To:Message-ID:Subject; bh=YXMEQF450z/x8OwmM2cXB0sn8pQ=; b=V4eYEm7zx1aNgbBaTgljjJ6lvU7xCEDeg2lE5KXMRZW...HSkBHlKnbICHCu3CTxqe8ys=; Received: from [192.168.1.1]; Fri, 09 Jan 2009 13:52:35 -0800 Date: Fri, 9 Jan 2009 13:52:30 -0800 (PST) From: Example-Announce Reply-to: [email protected] To: [email protected] Message-ID: <129889030[email protected]> Subject: January Announcements
The following is a description of the tags used in the above example:
v = The version of the DKIM specification being used to sign the message.
a = The algorithm used to generate the signature.
d = The domain of the signing entity.
s = The selector used in the public key.
c = The canonicalization algorithm – or the method by which the headers and content are prepared for presentation to the signing algorithm.
q = The query method(s) used to retrieve the public key.
i = The identity of the user or agent (e.g., a third party) on behalf of which this message is signed.
t = Signature timestamp. The format is UNIX time format.
h = A colon-separated list of header field names that identify the headers in the email message. The values in this tag MUST contain the complete list of headers in the order presented to the signing algorithm.
bh = The hash of the canonicalized body part of the message.
b = The signature data or public key, encoded as a Base64 string.
How Does DKIM Compare to SPF and DMARC?
SPF (Sender Policy Framework) is a form of email authentication that specifically protects and authenticates the return path address used in the message delivery process, preventing “from address” forgery. It does this by ensuring that the sent email originated from a server that has permission to send emails on behalf of the sender. Whereas DKIM, as discussed earlier, protects against unauthorized alterations of the email itself in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is not an authentication protocol, rather it helps the sender align their SPF and DKIM policies to help determine what should happen if an email doesn’t pass SPF or DKIM. If you would like to learn more about DMARC, read our DMARC Guide here!
What is the Purpose of DKIM and Do I Need It?
The simple answer is yes, if you send high-volume transactional or marketing email, you should absolutely configure SPF and DKIM and set up DMARC to further define and protect your authentication policy. Email authentication is important because it not only helps secure your email from bad actors and protect your recipients, but implementing the necessary authentication protocols also helps improve your email deliverability. The more secure your email is, the more likely the mailbox providers are to get your email to the inbox.
Need Help with Email Authentication and Deliverability?
SocketLabs was founded over ten years ago to help high-volume email senders make the most of their email with the latest technology and the best support. While our technology and support has evolved and progressed, our original values have stayed the same. Whether its setting up your email engine with API or SMTP, learning more about authentication, or building your email in our marketing center, SocketLabs has the technology and the consulting available to put you on the path to success.