What is DKIM

What is DKIM: DKIM and Digital Signatures Explained

Last updated on May 11, 2021

You know in historical movies and series like Game of Thrones, the most important characters have a ring with a seal on it which they use to stamp their letters? Well, did you know you can do something similar with a digital signature for your emails? Just as a stamp showing the image of a dire wolf would indicate that a letter came from the House of Stark, so you can add a DomainKeys Identified Mail (DKIM) signature to your emails to prove they’re coming from you and not an imposter.

While the House of Stark seal would only protect the recipient, DKIM protects both the sender and the person on the receiving end. DKIM ensures that no aspect of the message or its attachments has been altered during its journey through cyberspace. It also ensures that neither the sender’s domain nor address can be used to send out spam or attempt phishing attacks.

In this article

What Is DKIM?

DKIM is a form of digital signature which is added to a message’s header. Generated by the mail transfer agent using the originating Domain Name System (DNS), the signature is essentially an algorithm or set of rules that are applied to each signed field. When the recipient’s email provider receives a DKIM signed message, it uses a public key stored at the sender’s DNS to verify the sender and unlock the message. If the public key differs from the private, it indicates to the recipient’s email provider that the message has been tampered with.

DKIM is one of the most advanced forms of email authentication around, providing email recipients with a guarantee that the message they’re receiving did indeed come from the person it says it’s from. In effect, the DKIM signature is the equivalent of you phoning the recipient and informing them that you just sent an email and waiting on the phone to confirm its content. That would be silly, however, whereas the same process in the digital world makes a lot more sense.

Some email providers have DKIM set up on specific senders to protect themselves and their users against potential phishing attacks. Gmail, for example, won’t deliver an email from PayPal.com unless it can verify the DKIM signature first.

How Does DKIM Work?

Now that you know what is DKIM, you need to understand how it works. DKIM operates using two different keys, a private one and a public one. The first of these encodes the header of the message using a key that’s unique to your domain. The second enables the recipient to validate that signature. When setting up DKIM, the user must first generate this pair of keys and then

publish the public key in their DNS records, using a special TXT format. Thereafter, each outgoing message will be allocated its own unique DKIM signature header, as generated by the outbound mail server.

The DKIM signature contains information about both the message body, specified headers, and how the signature was generated. When a DKIM signed email arrives at its destination, the inbound server will look up the public DKIM key and use it to decrypt the message and access its contents. If the two keys don’t match, the recipient won’t be able to access the content and will, therefore, be protected against potentially malicious emails and phishing attempts.

DKIM is a rather complex process but is nevertheless well worth utilizing if you want your emails delivered and your recipients to know they can trust your communications.

How to Set Up DKIM

DKIM uses your originated DNS as its starting point, so the first step is to ensure you’re aware of all the domains being used to send emails. As different mail providers are often used for different purposes or by different departments within a single company, this can be more difficult than it appears.

The best way to guarantee that all your domains have been covered is to use an online sender tool like Sender Score. This isn’t much help if you’re a private individual who doesn’t send out many emails, but if you’re in charge of customer support for a company, a tool of this nature will give you useful information about your originating domains, as well as other metrics regarding your level of email deliverability.

Once you’ve got all your sending domains identified, you can begin the installation and configuration process. This requires you to install a designated DKIM package but, before you can do that, you’ll need exchange server groupware to give users access to the necessary messaging functions and security features.

When it comes to creating your private and public key pair, there are numerous DKIM wizards around to help you, although some will keep a record of your private key, making it rather less secure. DKIM keys can use any form of encryption, but anything lower than 1024-bit is pretty worthless these days, and the industry-standard is now the virtually unbreakable 2048-bit.

Once you’ve got your public key, you can publish it on the relevant domain using your system administrator or via the interface of your chosen DKIM solution. Once your public key is in place, you can store your private key so it can be accessed by your email server and applied to all outgoing messages.

What Security Does DKIM Offer and Do I Need It?

If you’re a private individual simply keeping in touch with friends, chances are DKIM will do little for you. You will, however, benefit from its application as in the example we mentioned earlier regarding Gmail blocking unsigned emails from PayPal. Similarly, large companies utilizing DKIM can help reduce the amount of potentially dangerous emails and phishing threats you receive, although a reputable antivirus is also effective against such threats.

For those of you responsible for sending out thousands of emails using an email marketing platform, however, the likelihood of your message ending up in the spam box is very high. DKIM offers a way to get around such deliverability issues and improve your sender reputation by ensuring that no one else can use your domain or spoof your identity when sending out emails.

DKIM is not a spam filter, however, but rather a means with which to bypass such filters by proving the authenticity of the email. For a big company, that’s vital stuff without which their carefully designed email marketing campaign could end up in the junk mail folder without ever being seen.

Despite the complexity of DKIM itself, that’s actually all it does, in a nutshell, so if you’re worried about getting malware infections, having your identity stolen, or being blocked from certain online content because of your geographical location, DKIM is not the solution you’re looking for.

The Downside of DKIM

DKIM offers an important cybersecurity solution but it isn’t quite as effective or comprehensive as it could be. DKIM encrypts only the parts of the message that the sender specifies, meaning that someone could potentially intercept the message and insert extra fields or modify unencrypted sections. This is a form of replay attack and is a dangerous problem as the recipient will still be convinced of the message’s authenticity as the DKIM signature will still be valid.

Although DKIM is designed to mitigate replay attacks, it isn’t completely secure. For example, if you allow visitors to your website to sign up for a trial account, you need to make sure you have the right restrictions in place to prevent them from digging deeper into your system. If an individual can hack into your email system, for example, they will also be able to create original content and send it out using your secure DKIM signature.

Another problem with DKIM is that, as so few use it, it’s impractical to block all messages that aren’t verified by a DKIM signature. Unfortunately, the failings of DKIM go beyond that and, according to a paper about the deployment and operation of DKIM, even “if a DKIM signature fails to verify, it is entirely possible that the message is valid”. In other words, Ned Stark could have stamped the imprint of Mickey Mouse into his red wax and, even though King Robert Baratheon noticed that it wasn’t his usual seal, simply said to himself , “Oh well, never mind, that doesn’t mean it’s not from him” and accepted the contents as authentic.

How DMARC Enhances DKIM

To address some of the problems with DKIM, it’s now possible to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) which will inform the recipient of the security protocols applied to the message. In other words, instead of the end-user being unaware of a DKIM signature or lack thereof, DMARC will flag emails that lack DKIM authentication and allow the user to decide what to do with them.

If the message is rejected or junked, a report is sent back to the sender who can then use that information to correct their digital signatures and other security protocols. In conjunction with DMARC, therefore, DKIM becomes a much more effective tool as users can gather information about its ability to guard against email scams and tackle problems as they arise.

DMARC is a welcome addition to the realm of cybersecurity and has the potential to turn DKIM into a vital tool in every company’s online security arsenal. As DMARC enables the recipient to enter into a conversation with the sender about the nature and authenticity of the email, it gives DKIM the wings it needs to move to the next level and provide more robust protection against phishing and other email-based cyber threats.

Given that over half of all the emails sent are spam, even if the combination of DKIM and DMARC only prevent a percentage of those, it’s going to have a huge effect overall.

Other Critical Cybersecurity Tools

Even with the combined use of both DMARC and DKIM, you won’t have complete protection against phishing attacks. Because of the way DMARC operates, it only protects against direct domain spoofing which, while a common method of phishing, is by no means the only one. URL and in-session phishing attacks behave very differently, as do search engine attacks and website spoofing.

Anyone who’s been a victim of such a threat and had to go through the painful process of recovering from a phishing attack will know just how damaging they can be and how important it is to avoid them. A combination of an antivirus package and a password manager is the best way of preventing phishing attempts of all descriptions. The best antivirus software and internet security suites, include an anti-spam feature that uses heuristic analysis, content filtering and IP address blocking to prevent unwanted emails from infecting your device. A good password manager, on the other hand, will autofill information on sites you’ve used before but flag any that are unfamiliar or potentially malicious.

Other cyber threats occur when the connection between your device and the internet is compromised or, in other terminology, your DNS leaks private information into the public domain. One of the best ways to prevent this is with a VPN which will create a fake IP address as well as an encrypted tunnel through which you can connect to the internet. Many VPNs also provides free tools so you can quickly and simply test for a DNS leak.


The prevalence and sophistication of cybercrime have demanded a similarly sophisticated response from the cybersecurity industry and DKIM is a vital tool when it comes to combating the threat of domain name spoofing and its associated threats, such as phishing. According to Forbes, in 2017, phishing scams were costing US businesses around half a billion dollars a year. If DKIM can prevent just 5% of those, it would still mean a saving of around $2.5m so is clearly worth it even with its shortcomings.

DKIM may be important for cybersecurity but its slow adoption limits its powers. Other cybersecurity tools enjoy much more popularity, possibly because they’re more versatile and offer as much protection to the individual user as to business. Antivirus software has been around forever and still has an important role to play when it comes to both internet security and offline device protection.

Similarly, a VPN has an important role to play, although for many users it’s more about accessing geographically restricted content than it is about security. Nevertheless, as a VPN masks your online activities by hiding them behind a fake IP address, it gives robust protection against hackers attempting to use public Wi-Fi to infect or gain control over a device. A VPN will help protect you against device hijacking and identity theft, among other things.

A password manager may seem less important but is increasingly useful as the number of online accounts we all have seems to grow exponentially every year. Not only will a good password manager generate strong passwords that will be virtually impossible for a hacker to deduce, but they also allow users to apply two-factor authentication where available.

While DKIM is undoubtedly an important aspect of cybersecurity, for individual users, the protection offered by a reliable antivirus, a no-logging VPN, and a robust password manager arguably have more impact on their day-to-day security and degree of online privacy.

Article comments