Similar to SPF, DKIM is also one of the foundational elements of email authentication for DMARC. DKIM is used to prevent spam, spoofing and tampering. It uses asymmetric cryptography (with a public/private key pair) to verify whether the sender is an authorised entity to send an email. The public key forms a part of the DNS record of the domain, so it can be retrieved by any recipient mail servers. The private key is used to sign the emails that are sent out and is kept private to the senders domain.
DKIM has a specific format in which it has to be added under the DNS settings of your domain: [selector]._domainkey.[domain]. The [selector] value is usually generated by the email service provider specific to your domain. The [domain] is your email domain name. The ._domainkey. is a standard fixed value included in all the DKIM records.
A single domain can have multiple DKIM values for all the servers that send an email on their behalf and therefore, the [selector] value should remain unique for each service that you use to send your emails.
Here is a sample DKIM record added in the DNS settings:
v=DKIM1; k=rsa; p=QWE...< redacted >...RTY
| v=DKIM1 | This indicates that this record should be treated as DKIM record |
|---|---|
| k=rsa | This specifies the encryption scheme used |
| p=QWE…RTY | This is the public key that can be used by any recipient |
This is how it looks at the DNS settings of a domain:
DKIM works based on digital signatures which uses a public-private key pair. The private key is used to sign the message & the public key is used to verify the digital signature.
When we send a new email, the email body is processed through a hash function to generate a hash value bh. The private key stored in the sender’s mail server is then used to create the digital signature (DKIM Signature) b, by signing the email header h and the hash value of the email body bh. This digital signature is appended as a header (DKIM header) and sent along with the email. By default, these headers are not visible to the user, however, they can be looked up by checking more details/show original headers option from the email client.
On the recipient side, it will detect a DKIM signature b and look out for the sender’s public key published p in the DNS settings. The receiving server can use the same values h and bh present in the email header to generate the digital signature b1. If the comparison of these signatures b & b1 succeed, it proves that the sending domain indeed has sent this message and it has not been modified during transit. If there has been any modifications, then the comparison of the DKIM signatures will not match with that of the received email and hence DKIM validation will fail.
*** Message header from an email received in Proton Mail ***
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 1024 bit
rsa-sha256 signature) header.d=zanil.me [email protected]
header.a=rsa-sha256
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1731129908; s=zmail;
d=zanil.me; [email protected];
h=Date:Date:From:From:To:To:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Reply-To:Cc;
bh=unyxlgKWoTHA9zpZeKRPtT9wCd2FUzrG3RDaIE23qnU=;
b=lymVERssLiOaY53X6awl8KSyC1XBH8XacLOvrqoHaNJKEquQZF3ZYg7Vu/qiPjhw
B35IaLPuTxcncGioBhghVhcexZPbjCwgTUma+6FSw0ZdRBgeW5+fqXuK5qQL1/+cxX0
88Z+lKPIHw4wE06rdSXP1ovHtkF+nYRFmyWwsYWY=
v = the DKIM version
a = the signing algorithm
q = the default query method
c = the canonicalization algorithm(s) for header and body
t = the signature timestamp
s = the selector configured in the DNS settings
d = the signing domain
i = the identity of the user or agent sending the message
h = the list of signed header fields, repeated for fields that occur multiple times
bh = the hash value computed on the email body
b = the actual digital signature of the contents (headers and body) of the mail message
*** Full length headers are available [here](<https://zanil.notion.site/139984b8ad5780ac8250cc2122616a36>)
You can use online tools such as these: SocketLabs or EasyDMARC. In some cases, the email provider can also help setup these values.
DKIM alone is not sufficient to protect your emails because if the recipient server does not use DKIM, then it will not have any impact and your emails may be rejected.