DomainKeys Identified Mail (DKIM) is a method:
The signature associates:
Because the DKIM process signs digitally all messages send, the receiving end can:
As the first step, you should generate a key pair for your domain.
If you use an email provider, the key is provided by them.
A DNS record should create with:
Email servers can use this key to verify your messages' DKIM signatures.
Example for Google as email provider:
The DNS Key has the following structure:
selector._domainkey.domain
where selector permits to have several dkim signatory. See the selector section for more information
The domain is the DNS domain and is known as signing domain identifier (sdid) in the DKIM jargon.
Example:
my-provider._domainkey.my-domain.com
Example:
v=DKIM1;
k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQUtHxTD63yxwq5fmjJ3RtXw2NP5/QEiSq3Xx85faTHnnj3/PA/igwWaueDsoeUuZOpkL74gDNGWBoQPecRaFrAXdPoEKGDYNBeMXzIkWQOth9Oaq4N+38LV08Ui86so8B2BhcvgXiqpACsrPur0hbDQWI183tZve7MKMPs3KPIQIDAQAB
where:
A DKIM filter is the filter application or client that adds the DKIM signature to all outgoing messages.
After enabling DKIM processing:
For example:
DKIM-Filter: OpenDKIM Filter v2.11.0 server01.bytle.net 3E16E1FBE8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytle.net;
s=dkimSelector; t=1591988898;
bh=WBggpZrfs7F0OzQkyE7LiZPHyfFFhl7N4CNav2f5YVw=;
h=Date:To:Subject:From:From;
b=ByN4Iw4U9RP8bzaPK0n3HJbFlvI60ett+V9pkoli+UNtdAcSdq/ANc3hL71PzjrT4
3yyTjK3MC5e2f/k+BAnIaAgnradAK/1CbMF4vMZVD6WoVIx7KTZlfWsW39Ir8PhqYQ
4TKvPpDUx8ToxUz1gwQlxJoExYW3McXJ2WdvUAf8=
where:
This section talks about the metadata that are included in the DKIM-Signature value.
The selector permits selecting the DNS record that contains the public key. It has generally the value of your mail provider that will sign your email.
The DKIM selector:
Example with an entry for google:
The sdid 1) is the domain site where the public key can be found. In the DKIM Signature header, you can find it in the d property:
Example:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytle.net;
s=dkimSelector; t=1591988898; ...
The AUID 2) is an optional value that identifies the user agent that has signed the message.
You can find its value in the signature on the i property.
Example:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com; [email protected];
s=selector;
The value is an email value.
Example of values:
The default value is
You can lookup the dkim record.
Example with Nslookup
# nslookup -type=TXT selector._domainkey.sdid
nslookup -type=TXT google._domainkey.datacadamia.com
Non-authoritative answer:
google._domainkey.datacadamia.com text =
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkGtLDG3wTcwJIuWDiKLXIAB1VmIRKbt0G6RamA6I+vbJf9HmTcKnVtcGsTl5fNnOdBCpyZXn6Kq+swwmQXH91D0yjStlExS2hr56qIEcCm2lecKq98PdQtQA0BKE0bEna1xryiwlNCKtH2ZqipIwFHmZgTV3WPOkjqwNQxoj4m93EXZktfslUnP88v9ArHOZM"
DKIM alignment is a check that compares:
Examples of checks and their results:
Author (From: header) | DKIM domain | Strict alignment | Relaxed alignment |
---|---|---|---|
[email protected] | foo.com | Pass | Pass |
[email protected] | foo.com | Fail | Pass |
[email protected] | foo.dev | Fail | Fail |
You can set the type of checks with the adkim attribute of the DMARC record with:
Below are libraries or software that can help you set up a DKIM process: