What is DKIM?
DKIM (DomainKeys Identified Mail) is a cryptographic technology that senders can use to sign their messages with. DKIM allows the receiver of an email to validate that the message was originated from an approved location as set by the domain owner. When messages are not signed with DKIM, emails are more likely to be flagged as spam as possibly not delivered to the intended recipient.
For more information see DKIM Record Explained.
How does DKIM work?
DKIM is a simple form of email authentication because its only function is to verify that the sender of an email is responsible for the domain the email is sent from. The two steps for DKIM are:
- A sender adds a private key on their mail servers and signs the message.
- The receiving server checks the public key stored in the txt record of dkimselector._domainkey.domain.com to validate the private key added by the sender.
How does DKIM prevent domain spoofing?
If you implement DKIM, you’re signing your email and telling other mail servers that the email they received is from your domain and you’re taking responsibility for it. This means that spam and phishing’s emails cannot be sent from your domain.
Why is DKIM important?
DKIM is important because it is one of the ways mail servers can verify the identity of the sender. Without implementing DKIM correctly, many email providers will block your email, preventing your messages from getting to the intended recipient. This may not seem incredibly important, if just a small number of your messages are blocked, it can have larger consequences for your business.
How can I test DKIM?
There are a variety of DKIM testing tools available for use online. Using something like a DKIM analyzer or DKIM checker will help you determine if you’ve accurately published your DKIM record. Tt is strongly recommended that any changes you make to your SPF or DKIM records are tested before you implement.
Our personal favourite is MXToolbox.
What Doesn’t DKIM do?
While DKIM does provide senders with a way to sign their messages so that inbox providers know they are responsible for the message content and domain it’s being sent from, there are a few things DKIM doesn’t do:
- DKIM doesn’t tell inbox providers how to handle the message. Unlike an email authentication technology like DMARC, DKIM doesn’t say what to do if a message fails or passes verification.
- DKIM doesn’t account for the sender of messages. Even if a message passes DKIM verification, the sender responsible for the message could still be a bad actor sending malicious email.
- DKIM doesn’t stop messages from being re-sent. If a malicious email is opened and forwarded by a recipient, the message can still be opened and harmful to subsequent recipients.
What is the difference between DKIM and SPF and do I need both?
SPF allows senders to tell ISPs which IPs are able to send on their behalf. DKIM allows ISPs to verify that the content sent is what the original sender intended. For more information about how to get your email delivered correctly.
Neither SPF or DKIM fully secure an email alone. Each is missing an important function which the other provides. SPF is missing message verification and DKIM is missing a way to verify where the message is coming from. Both SPF and DKIM are needed to be a secure email sender.