DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that an email message was authorized by the sending domain and has not been altered during transit.
When an email is sent, the sending mail server (MTA) generates a DKIM signature using a private key and adds it to the message header as a DKIM-Signature field. The corresponding public key is published in the sending domain’s DNS.
The sending mail server creates a cryptographic hash of selected email headers and the message body.
This hash is signed using the sender’s private DKIM key.
The resulting signature is added to the email header as a DKIM-Signature.
When the receiving mail server gets the email, it retrieves the sender’s public DKIM key from DNS.
The receiver verifies the signature by comparing it with a freshly calculated hash.
If the values match, the message is confirmed as authentic and unmodified.
DKIM validation occurs at the mail server level and is not visible to end users.
Verifies that the email was authorized by the domain owner
Detects changes to the message body, headers, or attachments during transit
Helps prevent domain spoofing and tampering
DKIM does not encrypt email content. It only verifies integrity and authenticity.
No. DKIM by itself does not block or filter emails.
However, the authentication results provided by DKIM are used by receiving mail servers as part of their spam filtering and trust evaluation process. Emails that pass DKIM verification are more likely to be trusted, while emails that fail DKIM may receive a higher spam score.
Here is an example of a DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=selector1;
c=relaxed/simple; q=dns/txt; t=1700000000; x=1700086400;
h=from:to:subject:date;
bh=Base64BodyHashValue;
b=Base64SignatureValue
v – DKIM version
a – Signing algorithm
d – Signing domain
s – Selector used to locate the public key in DNS
c – Canonicalization method for headers and body
q – Query method for retrieving the public key
t – Signature timestamp
x – Signature expiration time
h – List of signed header fields
bh – Hash of the message body
b – Cryptographic signature
DKIM serves as an additional authentication layer when implemented alongside SPF and DMARC. It makes sure that emails are secured against any form of spoofing and are delivered without any trouble.
TDMARC provides a DKIM Record Checker tool that allows you to verify your domain’s DKIM configuration and check the DKIM key length.
TDMARC analyses the SPF record of your organization and ensures that the report helps experts (present within your organization) to set the record accordingly for your organization. With TDMARC, your organization can stay protected from the sources that are trying to forge your domain names.
TDMARC comes with some of the most innovative and beneficial features like:
With such unparalleled features, you can effectively improve the email domain reputation of your organization. In addition to these features, it significantly improves protection against email spoofing and unauthorized use of your domain.