What is DKIM (DomainKeys Identified Mail)?
DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email message was sent by an authorized server and that the message content hasn't been tampered with during transit.
Unlike SPF, which only checks if a server is authorized to send email, DKIM provides cryptographic proof that:
- The email actually came from your domain
- The email content hasn't been modified after it was sent
- The email headers haven't been altered
How DKIM Works
DKIM uses public-key cryptography:
- Signing: Your mail server signs each outgoing email with a private key
- DNS Publication: The corresponding public key is published in DNS
- Verification: Receiving servers retrieve the public key from DNS and verify the signature
- Result: If the signature is valid, the email is authentic and unmodified
DKIM signatures are added to email headers as the message is sent. The signature covers specific headers (like From, To, Subject) and the message body, creating a cryptographic hash that can be verified by recipients.
Why DKIM is Critical for Your Business
1. Email Authenticity Proof
DKIM provides cryptographic proof that an email actually came from your domain. This is essential for:
- Legal Disputes: Proving in court that an email was actually sent by your organization
- Business Communications: Ensuring customers and partners can trust emails from your domain
- Brand Protection: Preventing others from successfully impersonating your business
- Compliance: Meeting regulatory requirements for email authenticity
2. Message Integrity Verification
DKIM signatures detect if an email has been modified after it was sent. If any part of the signed content (headers or body) is altered, the signature verification fails. This protects against:
- Man-in-the-middle attacks that modify email content
- Malicious email forwarding that alters messages
- Email tampering during transit
- Content injection attacks
3. Email Deliverability
Major email providers (Gmail, Outlook, Yahoo) use DKIM as a key factor in spam filtering and deliverability decisions. Emails with valid DKIM signatures are:
- Less likely to be marked as spam
- More likely to reach the inbox
- Trusted by email security filters
- Given higher reputation scores
4. Required for DMARC
DKIM is a foundational requirement for DMARC (Domain-based Message Authentication, Reporting & Conformance), which provides the highest level of email security. DMARC can use either SPF or DKIM (or both) to authenticate emails, but DKIM is preferred because it:
- Works even when emails are forwarded (SPF often breaks on forwarding)
- Provides message integrity verification
- Is more flexible with email routing
What Can Go Wrong Without Proper DKIM Configuration?
No Email Authenticity Proof
Without DKIM, you cannot cryptographically prove that emails came from your domain. This means:
- You cannot prove email authenticity in legal disputes
- Recipients cannot verify emails are actually from you
- Email security filters have less confidence in your emails
- Your domain reputation may suffer
Poor Email Deliverability
Emails without DKIM signatures are more likely to:
- Be marked as spam by email providers
- End up in junk folders instead of inboxes
- Be rejected by strict email security filters
- Receive lower reputation scores
Incomplete Email Security
Without DKIM, your email security is incomplete. SPF alone is not sufficient because:
- SPF breaks when emails are forwarded
- SPF doesn't verify message integrity
- SPF doesn't work well with email lists and mailing services
- DMARC requires either SPF or DKIM, and DKIM is more reliable
DKIM Configuration Errors
Even with DKIM enabled, configuration errors can cause problems:
- Wrong Selector: If the selector in the email signature doesn't match DNS, verification fails
- Missing Public Key: If the DNS record is missing or inaccessible, verification fails
- Key Mismatch: If the public key doesn't match the private key, verification fails
- Expired Keys: If keys are rotated but DNS isn't updated, verification fails
- Weak Algorithms: Using deprecated algorithms (like SHA-1) can cause verification failures
How DKIM Works: Technical Deep Dive
DKIM Selectors
A selector is an identifier that allows multiple DKIM keys to exist for the same domain. This enables:
- Different keys for different mail servers
- Key rotation without service interruption
- Separate keys for different services (marketing, transactional, etc.)
Common selectors include: default, mail, google, selector1, 2023 (year-based), and service-specific names. The selector is combined with _domainkey to form the DNS subdomain where the public key is published.
prismweb.com with selector default, the DKIM public key is published at:default._domainkey.prismweb.com
DKIM Signature Header
When an email is sent, the mail server adds a DKIM-Signature header containing:
- v= DKIM version (usually 1)
- a= Signing algorithm (e.g., rsa-sha256, ed25519-sha256)
- c= Canonicalization method (simple/relaxed for headers and body)
- d= Signing domain
- s= Selector
- h= List of headers that were signed
- bh= Hash of the email body
- b= The actual signature (base64-encoded)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prismweb.com; s=default; h=from:to:subject:date; bh=abc123...; b=xyz789...
DKIM Public Key Record
The DKIM public key is published as a DNS TXT record at selector._domainkey.domain.com. The record contains:
- v=DKIM1 Version identifier
- k= Key type (rsa or ed25519)
- p= The public key (base64-encoded)
- h= Acceptable hash algorithms (sha256, sha1 - sha1 is deprecated)
- s= Service type (email, * for all)
- t= Flags (y for testing mode)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
DKIM Verification Process
When a receiving mail server receives an email with a DKIM signature:
- Extracts the
d=(domain) ands=(selector) from the DKIM-Signature header - Queries DNS for
s._domainkey.d(e.g.,default._domainkey.prismweb.com) - Retrieves the public key from the DNS TXT record
- Reconstructs the canonical form of the signed headers and body
- Calculates the hash of the canonicalized content
- Verifies the signature using the public key
- Returns pass (valid), fail (invalid), or neutral (no signature)
Canonicalization
Canonicalization is the process of normalizing email headers and body before signing and verification. This ensures that minor formatting differences (like whitespace) don't cause signature failures. Two methods are used:
- simple: No changes to headers or body (strict, breaks on any modification)
- relaxed: Normalizes whitespace, case, and formatting (more forgiving, recommended)
Most modern implementations use relaxed/relaxed (relaxed for headers, relaxed for body) for better compatibility with email forwarding and mailing lists.
Cryptographic Algorithms
DKIM supports multiple cryptographic algorithms:
- RSA: Traditional algorithm, widely supported. Key sizes: 1024-bit (deprecated), 2048-bit (minimum), 4096-bit (recommended)
- Ed25519: Modern elliptic curve algorithm with smaller keys and better performance. Recommended for new deployments
Hash algorithms: SHA-256 (recommended) or SHA-1 (deprecated, should not be used). Modern implementations should use RSA-SHA256 or Ed25519-SHA256.
DKIM and Email Forwarding
One of DKIM's advantages over SPF is that it works with email forwarding. When an email is forwarded:
- The original DKIM signature remains in the headers
- Receivers can still verify the original signature
- The forwarding server can add its own DKIM signature (multiple signatures are allowed)
- Both signatures can be verified independently
This makes DKIM more reliable than SPF for emails that go through mailing lists, forwarding services, or email gateways.
DKIM Best Practices
1. Use Strong Keys and Algorithms
- Use RSA keys of at least 2048 bits (4096 bits recommended)
- Prefer Ed25519 for new deployments (smaller keys, better performance)
- Use SHA-256 hash algorithm (never SHA-1)
- Use relaxed/relaxed canonicalization for better compatibility
2. Proper Key Management
- Store private keys securely with restricted access
- Use separate keys for different services (marketing, transactional, etc.)
- Implement key rotation procedures
- Keep old keys in DNS during rotation period for smooth transition
3. Sign All Outgoing Emails
Configure your mail servers to sign ALL outgoing emails, not just some. This ensures consistent authentication and better deliverability.
4. Monitor DKIM Verification
- Use DMARC reports to monitor DKIM pass rates
- Test DKIM signatures regularly
- Monitor for signature failures
- Set up alerts for DNS record changes
5. Use Descriptive Selectors
Use meaningful selector names (like mail2024 or marketing) rather than generic names. This makes key management easier and helps identify which service is signing emails.
How PrismWeb Ensures Complete DKIM Protection
At PrismWeb, we perform comprehensive DKIM validation:
- DKIM Record Detection: We check 250+ common selectors to find DKIM public key records
- Public Key Validation: We verify that DKIM public keys are properly formatted and accessible
- Algorithm Analysis: We check that you're using strong algorithms (RSA 2048+ or Ed25519) and SHA-256
- Key Strength Verification: We verify key sizes meet security requirements
- DNS Accessibility: We ensure DKIM records are publicly accessible and resolve correctly
- Selector Coverage: We identify all selectors in use and verify their DNS records
- Configuration Completeness: We check that DKIM is properly configured for all mail servers
When you host with PrismWeb, DKIM is properly configured with strong keys, continuously monitored, and automatically maintained. We handle key rotation, DNS updates, and signature verification so your emails are always authenticated. This is one of our 16 comprehensive security checks that most providers skip.