DKIM Explained
Guide to safe Emails
DKIM is a digital signature that can be added to an email address. It’s used to authenticate yourself as a sender of a message to improve deliverability and prevent spoofing.
Why use DKIM?
Imagine a scenario where You’re selling a product and you know about one potential buyer. You met with Sarah randomly at a seminar and mentioned the product briefly, and she seemed intrested as well. She asked you to email her some more details.
Now you come to your office, prepare a mail and send it to her. Now you are eagerly waiting to close the deal but you never received a response. Why is that?
There could be many reasons for poor deliverability but, this time you forgot to set up DKIM authentication for your email account. As a result, Sarah's server wasn’t quite sure if it was really you emailing her and discarded the message.
What is DKIM?
DomainKeys Identified Mail (DKIM) is a digital signature that’s added to every email sent from a given email address. It’s a seemingly random set of characters that are hidden in the source code of an email – a place where people don’t usually look but servers accepting incoming emails definitely will. Adding DKIM signature doesn’t guarantee delivery but it significantly boosts the odds of a positive outcome.
What does a DKIM Header look like?
Here’s an example of a DomainKeys Identified Mail record:
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzRDKIM is made up of different elements, described with various tags and values corresponding to each.
| Tag | Meaning | Mandatory/optional |
|---|---|---|
| v=1 | Version. Always equals to ‘1’. | Mandatory |
| a=rsa-sha256 | Signing algorithm (so the one used to create a DKIM record on the sender’s end). Usually, it’s either rsa-sha or rsa-sha256. There are other algorithms but they’re not always supported by receiving clients. | Mandatory |
| d=example.net | The domain of a sender of a message (where DKIM is signed). | Mandatory |
| s=s1 | Selector. This includes instructions on which public key to use to resolve a given DKIM. | Mandatory |
| c=relaxed/simple | Canonicalization algorithm that’s used for both header and body. | Mandatory |
| q=dns/txt | Query method that’s used to retrieve the public key. By default, it’s ‘dns/txt’. | Optional (recommended) |
| t=1117574938 | A timestamp of when the message was signed. | Mandatory |
| x=1118006938 | Expire time of this DKIM (if an email arrives after the expiry time, the verification will fail even if everything else matches perfectly). | Optional (recommended) |
| h=from:to:subject | List of headers, separated by colons. | Mandatory |
| bh | The hashed message body, after being canonicalized with the method from ‘c’ tag and then run through the hash function from tag ‘a’. | Mandatory |
| b | And finally, this is the digital signature of both headers and body, hashed with the very same function. | Mandatory |