DomainKeys Identified Mail (DKIM)

DKIM allows the receiving email server to check that the email from a specific domain is authorized by the owner of the domain. This email authentication method was designed to stop email spoofing and assist with ensuring the email was not tampered with.

This authentication is achieved by adding an encrypted digital signature to the header of the email. The digital signature is generated by the sending email server that creates a unique string of characters (Hash Value) which is added as a header to the email.   The receiving email server can then verify the DKIM signature by looking up the sender’s public key that is published in DNS.  It uses the key to decrypt the Hash Value and also recalculates a hash value from the email if these two matches then the receiving email server knows that the email has not been tampered with as well as that it was sent from an authorized sender.

Setting up DKIM

Generate a key pair
For DKIM to work a key pair needs to be generated both a public and a private key. Major email systems like Gmail and Microsoft Office 365 to this for you in the backend and display the Public key.

Gmail instructions
Office 365 Instructions

Add Public Key to DNS record
Once the email system has generated the public key, this is then to be uploaded to DNS
An example of this is:

DNS Host name (TXT record name):
google._domainkey

TXT record value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgo8qasOIy3OHLUaayvKzrB23lZnxcwyoH/….

Leave a Reply