DKIM (DomainKeys Identified Mail) is an email authentication protocol that uses cryptographic signatures to verify the sender's domain identity. It ensures that the email was authorized by the domain owner and that the message body and headers remained intact during transit. The protocol is defined in RFC 6376.
How it works
The system relies on asymmetric cryptography and follows a specific workflow:
- The domain owner publishes a public key in their DNS records as a
TXTentry. - The sending Mail Transfer Agent (MTA) signs the outgoing message by hashing selected headers and the body, then encrypting that hash with a private key.
- The signature is attached to the email in the
DKIM-Signatureheader. - The recipient's server retrieves the public key via DNS to decrypt the signature and verify the hash.
DKIM is primarily used to prevent email spoofing and phishing attacks. It is a critical component of modern email deliverability; major providers like Google and Yahoo require DKIM signatures for high-volume senders. Without a valid signature, messages are significantly more likely to be rejected or marked as junk. Implementing DKIM alongside SPF and DMARC provides a robust framework for domain reputation management and security.