What Is DKIM? Email Authentication Explained

Key Points

What you'll learn in this article

DKIM ensures email authenticity with digital signatures, enhancing security. When paired with DMARC and SPF, domains can effectively mitigate cyber threats.

DKIM employs digital signatures to validate email authenticity and integrity, enhancing security measures.
DKIM records, stored in DNS, contain public keys crucial for email authentication, facilitating effective implementation.
Combining DKIM with DMARC verifies sender addresses, reducing phishing risks and enhancing overall email security.

DKIM explained

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.

How does DKIM work?

Once the receiver determines that an email message is signed with a valid DKIM signature, it can be confirmed that the email's content has not been modified. In most cases, DKIM signatures are not visible to end-users, the validation is done on a mail server level.

If DKIM is used together with DMARC or SPF, you can protect your domain against malicious emails sent from domains impersonating your brand. It also helps improve email deliverability over time and supports stronger inbox placement.

What is a DKIM record?

A DKIM record is a line of text within the DNS record that contains the public key which the receiving mail server can use to authenticate the DKIM signature. In practice, it is commonly published as a DNS TXT record under a selector tied to your domain.

Since spoofing emails from trusted domains is becoming a more rampant cyber threat, it is important to first check your DKIM record to begin your DKIM implementation. It is recommended that you add a DKIM record to your DNS whenever possible to authenticate any email communication from your domain.

Do you know who is sending email on behalf of your domain and brand? Get started with DKIM and DMARC to ensure your brand is not being exploited by cybercriminals.

What is a DKIM record check?

A DKIM record check is a tool that tests the domain name and selector for a valid published DKIM record. Mimecast offers a free DKIM checker that can support DKIM verification. Mimecast also offers a free SPF validator and free DMARC record checks.

Begin your DKIM and DMARC journey by first checking your DKIM record.

Using DKIM to prevent email spoofing

DKIM protocol uses a cryptographic signature – an encrypted header added to the message to verify that the email communication is authentic and that it has not been changed in transit. The receiver uses a public key found in the DKIM record in the domain's DNS to decrypt the DKIM signature and authenticate the message.

While the protocol is helpful, DKIM alone is not a guaranteed way of preventing spoofing attacks. The DKIM information is not visible for a non-technical user and does nothing to address the possibility that the sender is spoofing the "from" address in the email – the only information that most users see. The private keys used to sign messages with DKIM can be stolen by hackers. And managing public keys can be a time-consuming burden for security teams, especially across more than one email server or across different streams of outgoing email.

Key Aspects of DKIM

DMARC, or Domain-based Message Authentication Reporting & Compliance, builds on the DKIM protocol as well as the Sender Policy Framework (SPF) protocol to provide a stronger layer of defense against email spoofing. DMARC ensures that the visible "from" address matches the underlying IP address to prevent spoofing. In order to pass the DMARC checks , a message needs to pass DKIM authentication and/or SPF authentication. The DMARC Analyzer app further provides instructions for how the emails that have failed the DMARC checks should be handled.

The DMARC protocol can significantly minimize the damage attackers can cause through spoofing and or phishing attacks. However, it can be time-consuming and difficult to deploy DMARC without superior tools and qualified help. That's why more organizations turn to Mimecast when seeking to implement DMARC with minimal effort and delay.

Mimecast DMARC Analyzer: A faster path to authentication

Mimecast DMARC Analyzer provides the tools and resources you need to implement DMARC quickly and easily while minimizing cost, risk and effort. DMARC Analyzer serves as an expert guide, providing analyzing software that enables the shortest time possible for publishing your reject policy. This Mimecast solution offers full insight into your email channels to make sure legitimate email does not get blocked, and delivers alerts, reports and charts that simplify the task of monitoring performance and enforcing authentication.

With Mimecast DMARC Analyzer, you can:

Detect and block attackers by performing a DMARC check to determine whether email is attempting to spoof customers, employees and other parties.
Gain 360° visibility and governance across all email channels.
Implement DMARC policy on the gateway with self-service email intelligence tools.
Host and manage SPF records.
Avoid the 10 SPF lookup limitation.
Save time and money with a 100% SaaS-based solution.
Gain access to easy-to-use alerts, reports and charts to help achieve enforcement and monitor performance.

DMARC Analyzer: Key features

DMARC Analyzer simplifies DMARC deployment with a step-by-step approach and self-service tools that enable faster movement to DMARC enforcement. DMARC Analyzer offers:

Unlimited users, domains and domain groups, enabling administrators to ensure full coverage.
Setup wizard for DMARC records.
Forensic reports that simplify the task of identifying and tracking down the sources of malicious email.
Daily and weekly summary reports that allow administrators to track progress over time.
Tools to monitor DNS changes and receive alerts when a record is altered.
User-friendly aggregate reports and charts that enable easier analysis and faster time to DMARC policy enforcement.
Enhanced security based on two-factor authentication.
Validators for DMARC, SPF, and DKIM records.
Managed services (optional) that enable organizations to minimize risk while moving to DMARC enforcement in the shortest time possible.

Try Our DKIM Record Checker

How to create/set up DKIM?

The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string of characters called Hash Value. This hash value is stored in the listed domain. After receiving the email, the receiver can verify the DKIM signature using the public key registered in the DNS. It uses that key to decrypt the Hash Value in the header and recalculate the hash value from the email it received. If these two DKIM signatures are matching, the email receiver knows that the email has not been altered.

What is the difference between DKIM and SPF?

SPF is just like DKIM, an email authentication technique that can be used by utilizing the DNS (Domain Name Service). DKIM provides the ability to specify which email servers are permitted to send email on behalf of an organizations domain. Authenticating legitimate senders with SPF gives the receiver (receiving systems) insights on how trustworthy the origin of an email is.

The difference between SPF and DKIM is that the email authentication technique DKIM enables the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to the message and secured with encryption.

How does DKIM improve deliverability?

DKIM is email-authentication technique similar to SPF. DKIM allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to a message and secured with encryption.

Authenticating legitimate sending sources with DKIM gives the receiver (receiving systems) information on how trustworthy the origin of an email is, and it can significantly improve the overall deliverability of an email channel. 

In practice, DKIM on its own is not enough to fully protect an email channel. The email validation system DMARC is often mandatory and required for compliance as it creates a link between SPF and DKIM by validating whether a sending source has been authenticated with either SPF or DKIM.

Furthermore, DMARC allows organizations to instruct email services like Gmail, Hotmail and others to reject all emails that are not aligned with SPF and or DKIM.

How do I implement DKIM to my domain?

Before setting a DKIM signature, a sender needs to decide which elements of the email should be included in the DKIM signature. Typically, this is the body of the message and some default headers. This behavior cannot be changed. Once decided, these elements in the DKIM signature must remain unchanged or the DKIM validation will fail.

The DKIM signature will be generated in a unique textual string, the ‘hash value’. Before sending the email, the hash value is encrypted with a private key, the DKIM signature. Only the sender has access to this private key. When the email is encrypted, the email is sent with this DKIM signature.

Can I have multiple DKIM records?

Having the possibility to include multiple DKIM records on one single domain is required when an organization uses several different servers to send email on behalf of their domain name or to utilize “DKIM key rotation” to de-risk the possibility of having the DKIM keys being comprised.

Related DKIM Resources

Email & Collaboration Threat Protection