What is DKIM

What is DKIM

What is DKIM?

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

Once the receiver (or receiving system) determines that an email is signed with a valid DKIM signature, it’s certain that parts of the email among which the message body and attachments haven’t been modified. Usually, DKIM signatures are not visible to end-users, the validation is done on a server level.

Implementing the DKIM standard will improve email deliverability. If you use DKIM record together with DMARC (and even SPF) you can also protect your domain against malicious emails sent on behalf of your domains. Though, in practice, these goals are achieved more effectively if you use DKIM records together with DMARC (and even SPF). DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.

History of Domain Keys Identified Mail

DKIM was formed by merging two existing specifications Domain Keys (created by Yahoo) and Identified Internet Mail (from Cisco) in 2004.

It developed into a new widely adopted authentication technique which was also registered as an RFC by the IETF. All leading ISP’s (like Google, Microsoft and Yahoo) check incoming mail for DKIM signatures.

DKIM in practice

The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string of characters called a Hash Value. This hash value is stored in the listed domain. After receiving the email, the receiver can verify the DKIM signature using the public key registered in the DNS. It uses that key to decrypt the Hash Value in the header and recalculate the hash value from the email it received. If these two DKIM signatures are a match the MTA knows that the email has not been altered. This gives the user confirmation that the email was actually sent from the listed domain.


DMARC is built on top of DKIM and SPF. Together they are the best practice to prevent email spoofing and make your emails more trustworthy. DMARC only works if you have set up both SPF and DKIM. If you have proper process this carefully you can use the DMARC Analyzer tool to receive DMARC reports which contain detailed information about who is sending emails on your behalf.

what is DKIM - domain keys identified mail