What is DKIM

What is DKIM?


DKIM stands for DomainKeys Identified Mail. DKIM attaches a digital signature to each outgoing email sent from the email server. The sending email server generates a private/public key pair, and the public part of the key is placed into a TXT record of the organisations DNS server.

When an email server receives an email with a DKIM header attached, it will perform a DNS lookup on the domain name to retrieve the public key, published as a TXT record. If the hash in the email matches with the public key, that proves the email was sent from that domain.

The advantage of DKIM over SPF is that as DKIM digitally signs messages, the receiving email server can tell if a message has been tampered with on it's way to the receiving server.

How is it implemented?

To use DKIM you need to:

  • create a DKIM selector on your mail server
  • generate a public/private key pair for the selector
  • add a TXT record to your domain's DNS server to publish the selector and public key

Looking at the following DKIM DNS TXT record published by gmail , we can see that:

$ dig -t TXT +noall +answer 20210112._domainkey.gmail.com
20210112._domainkey.gmail.com. 247 IN   TXT     "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8JxVBMLHZRj1WvIMSHApRY3DraE/EiFiR6IMAlDq9GAnrVy0tDQyBND1G8+1fy5RwssQ9DgfNe7rImwxabWfWxJ1LSmo/DzEdOHOJNQiP/nw7MdmGu+R9hEvBeGRQAmn1jkO46KIw/p2lGvmPSe3+AVD+XyaXZ4vJGTZKFUCnoctAVUyHjSDT7KnEsaiND2rVsDvyisJUAH+EyRfmHSBwfJVHAdJ9oD8cn9NjIun/EHLSIwhCxXmLJlaJeNAFtcGeD2aRGbHaS7M6aTFP+qk4f2ucRx31cyCxbu50CDVfU+d4JkIDNBFDiV+MIpaDFXIf11bGoS08oBBQiyPXgX0wIDAQAB"

20210112.  is the DKIM selector. This can be whatever you choose it be

_domainkey is part of the specification

gmail.com is the domain where the DKIM TXT record is published

v=DKIM1;  is the version of DKIM being used

k=rsa;  the encryption method used to generate the public/private DKIM keys

p=MIIBIjANB...  is the DKIM public key  

When a DKIM enabled mail server sends an email, it will add the following header and fields to any outgoing emails

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intuition-net.20210112.gappssmtp.com; s=20210112;

v=1;  The version of DKIM

a=rsa-sha256;  algorithm used to sign the email

c=relaxed/relaxed;  canonicalization algorithm(s) for the header and body

d=intuition-net.20210112.gappssmtp.com;  Signing Domain ID

s=20210112;  DKIM selector

h=to:subject:message-id:date...  list of signed header fields

bh=xXTMVenblL85p2...  hash of signed body

b=i9vTelcRV8pDGWwAxAH...  signature of headers and body

Related Links: