anavem.
Back to Glossary
D

DKIM (DomainKeys Identified Mail)

DKIM is an email authentication method that uses cryptographic signatures to verify that an email message was authorized by the sending domain and was not altered in transit.

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication standard that allows a receiving mail server to verify the authenticity and integrity of an email. It does this by attaching a digital signature to outgoing messages, which recipients validate using a public key published in DNS. If the message is modified after it is sent - or if it was not authorized by the domain - the DKIM check fails.

Why DKIM matters

DKIM is critical because it:

  • Protects domains from email spoofing
  • Helps recipients trust legitimate messages
  • Improves email deliverability
  • Supports spam and phishing detection
  • Is a foundational control for email security

Without DKIM, it is easier for attackers to impersonate a domain.

How DKIM works

A simplified DKIM flow looks like this:

  1. The sending mail server signs the message with a private key
  2. The DKIM signature is added to the email headers
  3. The receiving server retrieves the public key from DNS
  4. The signature is verified against the message content
  5. The message passes or fails DKIM validation

The process is transparent to end users.

DKIM records explained

DKIM relies on DNS TXT records, which include:

  • A selector (to allow key rotation)
  • The public cryptographic key
  • The DKIM version and parameters

Example (simplified): selector1._domainkey.example.com

Selectors make it possible to update keys without interrupting email flow.

DKIM vs SPF vs DMARC

These mechanisms work together but serve different roles:

  • SPF: verifies sending server authorization
  • DKIM: verifies message integrity and domain authorization
  • DMARC: defines policy and alignment using SPF/DKIM

DKIM alone does not stop spoofing - DMARC enforcement is required.

DKIM in spam and phishing prevention

DKIM helps:

  • Detect forged or altered emails
  • Reduce domain impersonation
  • Improve filtering accuracy in receiving systems

However, attackers can still send properly signed malicious emails from compromised accounts.

DKIM limitations

DKIM does not:

  • Encrypt email content
  • Guarantee sender trustworthiness
  • Block all phishing or spam
  • Prevent compromise of legitimate mailboxes

DKIM verifies authenticity, not intent.

Best practices for DKIM

Effective DKIM deployment includes:

  • Using strong cryptographic keys (e.g., 2048-bit)
  • Rotating DKIM keys periodically
  • Signing all outbound email streams
  • Aligning DKIM with the visible From domain
  • Combining DKIM with SPF and DMARC (policy = reject)

Common misconceptions

  • "DKIM encrypts email"
  • "DKIM alone stops phishing"
  • "DKIM makes emails trustworthy"
  • "Once enabled, DKIM never needs maintenance"