What is DKIM?
DomainKeys Identified Mail (DKIM) is an authentication standard used to prevent email spoofing. DKIM attempts to prevent the spoofing of a domain that’s used to deliver email.
DKIM employs the concept of a domain owner who controls the DNS records for a domain. When sending email with DKIM enabled, the sending server signs the messages with a private key. A domain owner also adds a DKIM record, which is a modified TXT record, to the DNS records on sending domain. This TXT record will contain a public key that’s used by receiving mail servers to verify a message’s signature. The DKIM public-key cryptography process allows recipients to be confident of a sender’s authenticity.
![DKIM Authentication Process](https://cdn.aoitcloud.com/wp-content/uploads/2022/06/dkim-authentication-process-1024x683.jpg)
DKIM mail flow
To understand DKIM, it will be useful to understand how an email is sent when DKIM is added to the process. Lets imagine an email is sent from [email protected]
. For DKIM to work properly, the following steps take place:
- Before sending the message, the sending server signs the email using a private key.
- When the message is delivered, the receiving server obtains the DKIM record from the DNS records for
example.com
. - The receiving server then uses the public key in the DKIM record to verify the message’s signature.
- If the DKIM check passes, the receiving server can be confident the message was sent by the address in the
return-path
and wasn’t altered in transit. - If the DKIM check fails, the message is likely illegitimate and will be processed using the receiving server’s failure process.
While DKIM authentication is an email best practice, it’s important to understand that a DKIM signatures only function is to help verify the senders identity, which is an important factor (although not the only factor) when it comes to email delivery. DKIM cannot be used to verify the contents of an email.
Setting up DKIM can be a complex process. If not done correctly, Internet service providers (ISPs) will block your email, particularly because incorrect implementation is a sign of a spammer.