Definition
💡 DomainKeys Identified Mail (DKIM) is an email authentication method that signs every outgoing message with a unique digital signature. The purpose of the digital signature is the same as the purpose of a wax seal on an envelope: it allows the recipient to verify that the message hasn't been tampered with.
What does DKIM do?
DKIM strengthens email security by verifying the sender's identity and confirming that the email content hasn't been tampered with during transit (when moving from the origin server to the recipient's inbox).
The authentication method was defined in 2011, and it serves as a powerful defensive mechanism against email spoofing, phishing, and spam, all of which are responsible for cluttered inboxes and bear significant cybersecurity risks to individuals and organizations alike.
What is a DKIM selector and a DKIM record?
A DKIM selector is a unique identifier included in email headers. The purpose of this identifier is to point to a specific DKIM record in the sender's Domain Name System (DNS). By linking the selector in the email to the correct DKIM record, the recipient's email system can verify the sender's digital signature.
What is a DKIM key?
A DKIM key is a pair of two cryptographic keys. One of these keys is private, and the other key is public. As their names suggest, the private key is kept secret on the sender's mail server and used to create DKIM signatures, while the public key is available in the sender's domain's DNS records for anyone to access and use to verify DKIM signatures.
What is DKIM authentication and a DKIM signature?
DKIM authentication is the process of verifying that an email is legitimate using the DKIM signature. The process looks something like this:
- The sender's message is signed using their private DKIM key. The signature is added to the email headers.
- The recipient reads the DKIM signature and uses the information it contains to authenticate its origin.
- If the signature is valid, then the message passes the DKIM authentication process and is thus deemed to be legitimate.
What is a DKIM email?
A DKIM email is any message that includes a DKIM signature in its headers. In practice, this signature is typically invisible to end users, but they can still tell that it's included by the presence of certain visual cues in their email client.
For example, in Gmail, a blue checkmark icon may appear next to the sender's name for emails that pass DKIM authentication (along with other security checks).
How many DKIM records can I have?
DKIM records are stored as DNS TXT records, and most domain providers support up to 49 TXT records, so that's the technical limit of how many DKIM records you can have. In practice, however, there's no reason to ever have more than a few DKIM records. For example, organizations sometimes set up one DKIM record for internal communications and another one for external communications.