Before setting a DKIM signature a sender needs to decide which elements of the email should be included in the DKIM signature. Typically this is the body of the message and some default headers. This behaviour can be changed. Once decided these elements in the DKIM signature must remain unchanged or the DKIM validation will fail.
The DKIM signature will be generated into an unique textual string, the Hash value. Before sending the email, the hash value is encrypted with a private key, the DKIM signature. Only the sender has access to this private key. When the email is encrypted the email is send with this DKIM signature.
Email receivers, like Gmail and Microsoft (hotmail, outlook etc), detect the DKIM signature. This DKIM signature reveals which domain was used to sign the mail in the encryption process. To validate the DKIM signature, the email receiver will run a DNS query to search for the public key for that domain. The variables provided in the DKIM signature are used to determine where to look for this key. If the key was found, it can be used to decrypt the DKIM signature back the to original hash values. These values are compared to the new values retrieved from the received mail. If they match the DKIM was valid.
DKIM alone is not a reliable way of authentication the identity of the email sender. The DKIM domain is not visible for the non-technical end user and does nothing to prevent the spoofing of the visible ‘header from’ domain. DMARC addresses that problem by guaranteeing that the domain visible to the end user is the sames as the domains that are validated by the DKIM and SPF checks. It also provides email receivers with an instruction about what they should do with mails which do not match these checks.
Start using our tool DMARC Analyzer to secure your domain