Authenticating Your Email Domain With DKIM


Spammers and phishers often forge email "from" addresses to make their messages look legit. DKIM (DomainKeys Identified Mail) is a tool designed to help these forgeries.

The idea behind DKIM is straightforward: an outgoing mail server digitally signs an email message and the receiving system, or perhaps the mail client itself, verifies the signature.

In order for the process to work, the host that sends mail for a domain, say example.com creates a public key and a private key. The public key is stored in the site's DNS (the Domain Name System, used primarily for translating names to the IP addresses used by the Internet) records and the private key is kept confidential. Specifically a TXT (text) record is added to example.com's DNS:

IN TXT "v=DKIM1; p=AAAAB3Nza..."

When a user from example.com sends an email, the server uses the private key to sign the message. It generates a unique number (hash) from the contents of the message and encrypts it with that private key. [You can learn more about digital signatures at: https://cromwell-intl.com/cybersecurity/verify-digital-signature.html ] It then puts that signature into the header of the email message and sends it along to the destination.

When the message is received, the public key is retrieved from the DNS record of the claimed sending domain (example.com here) and the signature is decrypted. If the signature is correct, the message is presumed to come from that domain, if not, it is presumed to be a forgery. If the message, sender, or signature in the header is modified, the signature will not validate as correct. Indeed, none of the spam messages in my spam folder are signed.

Individuals that use gmail, yahoo, or other servers will usually have their mails signed by their providers. Some mailing lists are signed by list provider e.g. Mailchimp.

Of course, this will only work if a) the sending host is configured for DKIM, b) the sending host generates the signature, and c) the recipient actually checks the signature. Today, those requirements are not universally met. If a sending host does not sign a message, recipients will have no signature to check and will let the message pass on to the recipient. That means spammers will still be able to forge (spoof) addresses. I was heartened to see that virtually all the messages in my inbox did pass validation, though.

graphic showing the sending host is configured for DKIM, the sending host generates the signature, and the recipient actually checks the signature

Google's gmail does indeed try to verify the DKIM signatures of messages its subscribers receive.

DKIM: 'PASS' with domain ""

Some online sites will validate the DKIM record for a Domain.

When my mail client detects an invalid signature, I see

DKIM Invalid (E-Mail was modified)

If there is no DKIM signature, there is no message.

Adding DKIM to a domain not only helps reduce the probability of spoofing the domain, it also adds credibility to the sending domain. As a small business this is important to me, and that's why I configured it for my domain.

John McDermott

Written by John McDermott

John McDermott, CPLP, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.

Chat With Us