DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed send and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
Once receiver (or receiving system) determines that an email is signed with a valid DKIM signature, it’s certain that parts of the email among which the message body and attachments haven’t been modified. Usually, DKIM signatures are not visible to end-users, the validation is done on a server level.
Implementing the DKIM standard will improve email deliverability and will protect against malicious emails sent on behalf of your domain. Though, in practice these goals are achieved more effective if you use DKIM record together with DMARC (and even SPF). DMARC and DMARC Analyzer use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.
DKIM was formed by merging two existing specifications Domain Keys (created by Yahoo) and Identified Internet Mail (from Cisco) in 2004.
It developed into a new widely adopted authentication technique which was also registered as an RFC by the IETF. All leading ISP’s (like Google, Microsoft and Yahoo) check incoming mail for DKIM signatures.
The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string of characters called Hash Value. This hash value is stored in the listed domain. After receiving the email, the receiver can verify the DKIM signature using the public key registered in the DNS. It uses that key to decrypt the Hash Value in the header and recalculate the hash value from the email it received. If these two DKIM signatures are a match the MTA knows that the email has not been altered. This gives the user confirmation that the email was actually sent from the listed domain.
DMARC is build on top of DKIM and SPF. Together they are the best practice to prevent email spoofing and make your emails more trustworthy. DMARC only works if you have set up both SPF and DKIM. If you have proper process this carefully you can use the DMARC Analyzer tool to receive DMARC reports which contain detailed information who is sending email on your behalf.