DomainKeys Identified Mail (DKIM)

From InboxSys document library
Jump to navigation Jump to search

DKIM (DomainKeys Identified Mail) is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5322.From) from forgery (spoofing). DKIM is defined in RFC 6376 with updates in RFC 8301 and RFC 8463. DKIM is a requirement of DMARC.


Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification.


The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376:

   selectors might indicate the names of office locations (e.g.,
   "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date
   (e.g., "january2005", "february2005", etc.), or even an individual

The selector is used to compile a subdomain for the DKIM DNS TXT record. If, for example, the selector is "reykjavik" and the senderdomain is "", the following subdomain should be created:

Public and private key

The public key is publicly accessible in this DNS TXT record. The full content of the DNS TXT record may look like this:

v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB

There are numerous switches that can be applied to a DKIM record. The ones we see here are:

DKIM record switches
Switch Example Description Required
v v=DKIM1 Version Required
t t=s Alignment / Testing Recommended
k k=rsa Key type Optional
Public key Required

The long key (p-switch) is the public key that matches the private key on the signing server. This key can be obtained from your ISP/ESP or your mail server administrator.

The minimum length for DKIM keys is 1024 bit. The minimum recommended length for DKIM keys is 2048 bit.

Once a message has been received, the DKIM signature can be found in the E-Mail header and it looks like this:

   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
	s=reykjavik; t=1117574938;;

The meaning of the individual switches we see in the example is as follows:

DKIM header switches
Switch Example Description Required
v v=1 Version Required
a a=rsa-sha256 Key type / Signing algorithm Required
c c=relaxed/relaxed Canonicalization algorithm(s) for header and body Optional
d Signing Domain Identifier (SDID) Required
s s=reykjavik Selector Required
t t=1117574938 Timestamp Recommended
i Sending domain (AUID) Optional
bh bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= Body hash Required
list of header fields that have been signed Required
Signature of headers and body Required


Main article: Alignment

DKIM is aligned when the sender domain matches the signing domain. In correct phrasing: when the RFC5322.From domain (also "Agent or User Identifier"), represented in the i-switch, matches the "Signing Domain Identifier", represented in the d-switch.

Double DKIM

Main article: Double DKIM

DKIM in InboxSys app

To check your DKIM record, send a message to your seedlist and look in the authentication section of the E-Mail analysis.

Useful links