DKIM Explained

Guide to safe Emails

DKIM is a digital signature that can be added to an email address. It’s used to authenticate yourself as a sender of a message to improve deliverability and prevent spoofing.

Why use DKIM?

Imagine a scenario where You’re selling a product and you know about one potential buyer. You met with Sarah randomly at a seminar and mentioned the product briefly, and she seemed intrested as well. She asked you to email her some more details.

Now you come to your office, prepare a mail and send it to her. Now you are eagerly waiting to close the deal but you never received a response. Why is that?

There could be many reasons for poor deliverability but, this time you forgot to set up DKIM authentication for your email account. As a result, Sarah's server wasn’t quite sure if it was really you emailing her and discarded the message.

What is DKIM?

DomainKeys Identified Mail (DKIM) is a digital signature that’s added to every email sent from a given email address. It’s a seemingly random set of characters that are hidden in the source code of an email – a place where people don’t usually look but servers accepting incoming emails definitely will. Adding DKIM signature doesn’t guarantee delivery but it significantly boosts the odds of a positive outcome.

What does a DKIM Header look like?

Here’s an example of a DomainKeys Identified Mail record:

DKIM-Signature: v=1; a=rsa-sha256;; s=newyork;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;

DKIM is made up of different elements, described with various tags and values corresponding to each.

v=1Version. Always equals to ‘1’.Mandatory
a=rsa-sha256Signing algorithm (so the one used to create a DKIM record on the sender’s end). Usually, it’s either rsa-sha or rsa-sha256. There are other algorithms but they’re not always supported by receiving clients.Mandatory
d=example.netThe domain of a sender of a message (where DKIM is signed).Mandatory
s=s1Selector. This includes instructions on which public key to use to resolve a given DKIM.Mandatory
c=relaxed/simpleCanonicalization algorithm that’s used for both header and body.Mandatory
q=dns/txtQuery method that’s used to retrieve the public key. By default, it’s ‘dns/txt’.Optional (recommended)
t=1117574938A timestamp of when the message was signed.Mandatory
x=1118006938Expire time of this DKIM (if an email arrives after the expiry time, the verification will fail even if everything else matches perfectly).Optional (recommended)
h=from:to:subjectList of headers, separated by colons.Mandatory
bhThe hashed message body, after being canonicalized with the method from ‘c’ tag and then run through the hash function from tag ‘a’.Mandatory
bAnd finally, this is the digital signature of both headers and body, hashed with the very same function.Mandatory