Guide to safe Emails
DKIM is a digital signature that can be added to an email address. It’s used to authenticate yourself as a sender of a message to improve deliverability and prevent spoofing.
Imagine a scenario where You’re selling a product and you know about one potential buyer. You met with Sarah randomly at a seminar and mentioned the product briefly, and she seemed intrested as well. She asked you to email her some more details.
Now you come to your office, prepare a mail and send it to her. Now you are eagerly waiting to close the deal but you never received a response. Why is that?
There could be many reasons for poor deliverability but, this time you forgot to set up DKIM authentication for your email account. As a result, Sarah's server wasn’t quite sure if it was really you emailing her and discarded the message.
DomainKeys Identified Mail (DKIM) is a digital signature that’s added to every email sent from a given email address. It’s a seemingly random set of characters that are hidden in the source code of an email – a place where people don’t usually look but servers accepting incoming emails definitely will. Adding DKIM signature doesn’t guarantee delivery but it significantly boosts the odds of a positive outcome.
Here’s an example of a DomainKeys Identified Mail record:
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork; c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938; h=from:to:subject:date:keywords:keywords; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR
DKIM is made up of different elements, described with various tags and values corresponding to each.
|v=1||Version. Always equals to ‘1’.||Mandatory|
|a=rsa-sha256||Signing algorithm (so the one used to create a DKIM record on the sender’s end). Usually, it’s either rsa-sha or rsa-sha256. There are other algorithms but they’re not always supported by receiving clients.||Mandatory|
|d=example.net||The domain of a sender of a message (where DKIM is signed).||Mandatory|
|s=s1||Selector. This includes instructions on which public key to use to resolve a given DKIM.||Mandatory|
|c=relaxed/simple||Canonicalization algorithm that’s used for both header and body.||Mandatory|
|q=dns/txt||Query method that’s used to retrieve the public key. By default, it’s ‘dns/txt’.||Optional (recommended)|
|t=1117574938||A timestamp of when the message was signed.||Mandatory|
|x=1118006938||Expire time of this DKIM (if an email arrives after the expiry time, the verification will fail even if everything else matches perfectly).||Optional (recommended)|
|h=from:to:subject||List of headers, separated by colons.||Mandatory|
|bh||The hashed message body, after being canonicalized with the method from ‘c’ tag and then run through the hash function from tag ‘a’.||Mandatory|
|b||And finally, this is the digital signature of both headers and body, hashed with the very same function.||Mandatory|