What is DKIM
What is DKIM?
DKIM stands for DomainKeys Identified Mail. DKIM attaches a digital signature to each outgoing email sent from the email server. The sending email server generates a private/public key pair, and the public part of the key is placed into a TXT record of the organisations DNS server.
When an email server receives an email with a DKIM header attached, it will perform a DNS lookup on the domain name to retrieve the public key, published as a TXT record. If the hash in the email matches with the public key, that proves the email was sent from that domain.
The advantage of DKIM over SPF is that as DKIM digitally signs messages, the receiving email server can tell if a message has been tampered with on it's way to the receiving server.
How is it implemented?
To use DKIM you need to:
- create a DKIM selector on your mail server
- generate a public/private key pair for the selector
- add a TXT record to your domain's DNS server to publish the selector and public key
Looking at the following DKIM DNS TXT record published by gmail , we can see that:
$ dig -t TXT +noall +answer 20210112._domainkey.gmail.com 20210112._domainkey.gmail.com. 247 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8JxVBMLHZRj1WvIMSHApRY3DraE/EiFiR6IMAlDq9GAnrVy0tDQyBND1G8+1fy5RwssQ9DgfNe7rImwxabWfWxJ1LSmo/DzEdOHOJNQiP/nw7MdmGu+R9hEvBeGRQAmn1jkO46KIw/p2lGvmPSe3+AVD+XyaXZ4vJGTZKFUCnoctAVUyHjSDT7KnEsaiND2rVsDvyisJUAH+EyRfmHSBwfJVHAdJ9oD8cn9NjIun/EHLSIwhCxXmLJlaJeNAFtcGeD2aRGbHaS7M6aTFP+qk4f2ucRx31cyCxbu50CDVfU+d4JkIDNBFDiV+MIpaDFXIf11bGoS08oBBQiyPXgX0wIDAQAB"
20210112. is the DKIM selector. This can be whatever you choose it be
_domainkey is part of the specification
gmail.com is the domain where the DKIM TXT record is published
v=DKIM1; is the version of DKIM being used
k=rsa; the encryption method used to generate the public/private DKIM keys
p=MIIBIjANB... is the DKIM public key
When a DKIM enabled mail server sends an email, it will add the following header and fields to any outgoing emails
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intuition-net.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject:date; bh=xXTMVenblL85p204ToSYokpuWVyhxoUhq91KLw/pi8A=; b=i9vTelcRV8pDGWwAxAHtJfqNys/St4hiL93beO2eYEkHAhvf96BMscLls7PK7mYG3H JIJBZVFoixBul37VbfzA4NX+UswwusQOx1ca7/CUPlsErOwi+nlCh9orHaMIHO+nXmew WgxT3iM9f7ipzF9ae613PkO7rVtavG8Z4Fpe7Grmfm1INcKIwkHF40Mj9v3tlcowrRJC 6zRIyv3+JW2N5KWEhzfeESiQf6wTw7LJaAdyx5Q6uNH21JSXEDEd1wi5vU9jZziLwiOs LPjlUfETA5oFK+6wiep9gH2yocEFVdNsglQquII0fPCNqXW2TP+8GAv9tNEVbJs983lu ypgg==
v=1; The version of DKIM
a=rsa-sha256; algorithm used to sign the email
c=relaxed/relaxed; canonicalization algorithm(s) for the header and body
d=intuition-net.20210112.gappssmtp.com; Signing Domain ID
s=20210112; DKIM selector
h=to:subject:message-id:date... list of signed header fields
bh=xXTMVenblL85p2... hash of signed body
b=i9vTelcRV8pDGWwAxAH... signature of headers and body
- Video: How DKIM SPF & DMARC Work to Prevent Email Spoofing
- DKIM Setup Guide: How to Configure DKIM Step by Step
- DomainKeys Identified Mail