DKIM signature

Before setting a DKIM signature a sender needs to decide which elements of the email should be included in the DKIM signature. Typically this is the body of the message and some default headers. This behavior cannot be changed. Once decided these elements in the DKIM signature must remain unchanged or the DKIM validation will fail.

The DKIM signature will be generated in a unique textual string, the ‘hash value’. Before sending the email, the hash value is encrypted with a private key, the DKIM signature. Only the sender has access to this private key. When the email is encrypted the email is sent with this DKIM signature.

Email receivers, like Gmail and Microsoft (Hotmail, Outlook etc), detect the DKIM signature. This DKIM signature reveals which domain was used to sign the email in the encryption process. To validate the DKIM signature, the email receiver will run a DNS query to search for the public key for that domain. The variables provided in the DKIM signature are used to determine where to look for this key. If the key was found, it can be used to decrypt the DKIM signature back the to original hash values. These values are compared to the new values retrieved from the received mail. If they match, the DKIM was valid.

DKIM alone is not a reliable way of authenticating the identity of the email sender.  The DKIM domain is not visible for the non-technical end user and does nothing to prevent the spoofing of the visible ‘header from’ domain. DMARC addresses that problem by guaranteeing that the domain visible to the end user is the same as the domains that are validated by the DKIM and SPF checks. It also provides email receivers with an instruction about what they should do with emails which do not match these checks.

Start using our tool DMARC Analyzer to secure your domain