Anti-Email Spoofing 101 – DomainKeys Identified Mail


DKIM, also known as DomainKeys Identified Mail, is an email anti-spoofing method that authorizes a domain to sign emails via cryptographic authentication.

Similarly to SPF, DKIM uses a DNS text (TXT) record, to publish a public key in the DNS, which can be used to verify that parts of an email haven’t been changed.

DKIM was published fairly recent in 2007 in RFC 4871, and replaced the obsolete and deprecated version of Yahoo’s DomainKeys. The latest update of DKIM protocol was published back in 2011 in RFC 6376.

Why use DKIM?

When signing outgoing messages with DKIM, the recipient will be able to verify that the respective message is from the sender where it claims to be from, and that its content has not been modified. When you apply DKIM it reduces the chances of emails being identified as spam, and helps discourage others from spoofing your email, especially when combined with SPF.

How DKIM works?

The DKIM signature is published in the DNS as a text (TXT) Record. MTAs (Mail Transfer Agents) that have the private key can sign outgoing emails, whilst MTAs that are receiving such signed message can verify it’s authenticity using the public key from the DNS. The DKIM protocol adds a signature to the email headers, containing the hashed value of both headers and body, generated with the private key. Remember that DKIM uses a pair of public-private keys, the private one is known only to you for obvious reasons and is used to create the signature. The public key, available to anyone, is used to check if the correct private key generated the hashed value of headers and body content.

When a server checking for DKIM receives a message, it automatically retrieves the public key from the sending domain’s DNS, and uses it to  verify if the DKIM header matches the headers/body.

What does DKIM look like?

As we stated above, the DKIM signature exists in a DNS TXT record. Here’s an example on what the record could look like:

dkim._validation         TXT     "v=DKIM1; g=*; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLraMpNCxvISSsmD77xV8Oj4KP7OwRcLRh/Qa5aOci/anZZgDNEngRFJVOM1qXEms154WsmTI0yUTVJDwnQRKkBE0gVb7zOOFWNHSsXrzYkL9bTfL15o7IzqSrD2axuUxWhdfql5du8dg6I60SjzY0YCuehu44CXQrK2LXbYklDpQSOssVWWv+qMgrr5Jj9eubQwZTfVx+kbHEmPguMYhuFW1hKRw1k/VyHIsAUo0/nvvbCk2j1aIoZslF/zbzDQlRmnU1b5+R5A62Fj4EkUjW3h3Y0QaQdVUpCFzxJmjVRtbl3VtYz30Uo6aiwp6cDl1x2EYJhqVfAOS0GbKJysRwIDAQAB;"

Where “p=” is the generated public key. Also the “dkim._validation” uses a selector, where in our case “validation” is the selector. This can actually be anything you want, so be creative about it!

Here at SpamExperts, we use the DKIM protocol to add another layer of security when it comes to email spoofing, in addition to SPF.

Until next week, stay tuned by subscribing to our blog and keep your email safe!

Have anything to add? Drop us a line in the comment section below.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s