What is DKIM, the Email DomainKeys Identified Mail? (Mail Signatures)

About

DomainKeys Identified Mail (DKIM) is a method:

The signature associates:

Usage

Because the DKIM process signs digitally all messages send, the receiving end can:

  • authenticate the sender (not spam or phishing)
  • verify that the message was not modified.

How it works

Steps to set up DKIM

Generate a Private / Public Key Pair

As the first step, you should generate a key pair for your domain.

If you use an email provider, the key is provided by them.

Create a DKIM DNS Record

A DNS record should create with:

  • a DNS key
  • that contains as value, the public key

Email servers can use this key to verify your messages' DKIM signatures.

Example for Google as email provider:

Dkim Entry

DKIM DNS Key

The DNS Key has the following structure: 

selector._domainkey.domain

where selector permits to have several dkim signatory. See the selector section for more information

The domain is the DNS domain and is known as signing domain identifier (sdid) in the DKIM jargon.

Example: 

my-provider._domainkey.my-domain.com

DKIM DNS Value

Example: 

v=DKIM1; 
k=rsa; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQUtHxTD63yxwq5fmjJ3RtXw2NP5/QEiSq3Xx85faTHnnj3/PA/igwWaueDsoeUuZOpkL74gDNGWBoQPecRaFrAXdPoEKGDYNBeMXzIkWQOth9Oaq4N+38LV08Ui86so8B2BhcvgXiqpACsrPur0hbDQWI183tZve7MKMPs3KPIQIDAQAB

where:

  • k is the public key implementation (in this case: RSA)
  • p is the public key

Enable DKIM and control the DKIM signature header

A DKIM filter is the filter application or client that adds the DKIM signature to all outgoing messages.

After enabling DKIM processing:

For example: 

DKIM-Filter: OpenDKIM Filter v2.11.0 server01.bytle.net 3E16E1FBE8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytle.net;
	s=dkimSelector; t=1591988898;
	bh=WBggpZrfs7F0OzQkyE7LiZPHyfFFhl7N4CNav2f5YVw=;
	h=Date:To:Subject:From:From;
	b=ByN4Iw4U9RP8bzaPK0n3HJbFlvI60ett+V9pkoli+UNtdAcSdq/ANc3hL71PzjrT4
	 3yyTjK3MC5e2f/k+BAnIaAgnradAK/1CbMF4vMZVD6WoVIx7KTZlfWsW39Ir8PhqYQ
	 4TKvPpDUx8ToxUz1gwQlxJoExYW3McXJ2WdvUAf8=

where:

  • a is the algorithm used to generate the signature. Mostly rsa-sha256, ie a RSA signature hashed by the sha256 algorithm)
  • s is the dkim selector that you find in the domain record
  • d is the domain known as sdid
  • i is the Agent or User Identifier (AUID)
  • t is the Signature Timestamp
  • b is the signature (ie the output if the signature algorithm)
  • h is the header fields used as input of the signature algorithm
    • Example of values: h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
  • c specifies the canonicalization algorithms for the headers and body (default is simple/simple). It manages how the email can be modified in transit while preserving the signature:
    • simple tolerates almost no email modification in transit
    • relaxed tolerates common modifications such as whitespace replacement and header field line rewrapping.

Metadata

This section talks about the metadata that are included in the DKIM-Signature value.

Selector

The selector permits selecting the DNS record that contains the public key. It has generally the value of your mail provider that will sign your email.

The DKIM selector:

  • is specified as an attribute of the DKIM-signature header field (the s key) in the emails send.
  • permit multiple public keys (under the same organization's domain name).

Example with an entry for google:

Dkim Selector

Signing Domain Identifier (SDID)

The sdid 1) is the domain site where the public key can be found. In the DKIM Signature header, you can find it in the d property:

Example: 

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytle.net;
	s=dkimSelector; t=1591988898; ...

Agent or User Identifier (AUID)

The AUID 2) is an optional value that identifies the user agent that has signed the message.

You can find its value in the signature on the i property.

Example: 

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com; [email protected]; 
  s=selector;

The value is an email value.

Example of values:

The default value is

How to lookup DKIM record ?

You can lookup the dkim record.

Example with Nslookup 

# nslookup -type=TXT selector._domainkey.sdid
nslookup -type=TXT google._domainkey.datacadamia.com

Non-authoritative answer:
google._domainkey.datacadamia.com       text =

        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkGtLDG3wTcwJIuWDiKLXIAB1VmIRKbt0G6RamA6I+vbJf9HmTcKnVtcGsTl5fNnOdBCpyZXn6Kq+swwmQXH91D0yjStlExS2hr56qIEcCm2lecKq98PdQtQA0BKE0bEna1xryiwlNCKtH2ZqipIwFHmZgTV3WPOkjqwNQxoj4m93EXZktfslUnP88v9ArHOZM"

Alignment

DKIM alignment is a check that compares:

  • the domain of the DKIM signature (the field d=)
  • to the domain of the author address (the From: header)

Examples of checks and their results:

Author (From: header) DKIM domain Strict alignment Relaxed alignment
[email protected] foo.com Pass Pass
[email protected] foo.com Fail Pass
[email protected] foo.dev Fail Fail

You can set the type of checks with the adkim attribute of the DMARC record with:

  • a s for strict
  • a r for relaxed

Library

Below are libraries or software that can help you set up a DKIM process:

Specification / Reference

Documentation

1)
SDID documentation
2)
Auid documentation




Discover More
How does the email system work? SMTP, POP, IMAP explained

This page gives you the foundations of the email system. At the end, you should be able to understand why when you configure your email client, you need to set up: The SMTP configuration And the...
Dkim Record Text Format Ovh Dns Zone
How to configure DKIM with PostFix, a step by step guide

This article will show and explain you how to install DKIM with OpenDkim as a milter for Postix on CentOS
How to configure your server to send Email properly?

Configuring your domain to manage email is not an easy task, this article groups them in one place
Web - User Agent (UA)

A user agent is the internet name for a process. It may be: a software an application a service They are called user agent because they are acting on behalf of a user. The most well-known user...
What are email headers?

Email header are the most important part for email routing and this articles regroups the main logic about them
What is BIMI (Brand Indicators for Message Identification)? How to add a brand logo to your Emails?

With BIMI , a logo file should be displayed in the receiver inbox. When all requirements pass, the email provider will look up a TXT record where the content starts with v=BIMITXTDKIM domaindapex...
What is DMARC (Domain-based Message Authentication)?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a text DNS Record that indicates to the receiving server what actions should be taken if the emails do not pass the email authentication...
What is Email Authentication?

By default, the SMTP protocol does not have any authentication mechanism when the email is received. There may be an authentication when you try to send but not when you receive. To prevent spoofing...
Map Of Internet 1973
What is a DNS Record?

DNS A DNS record is a row in a DNS database. Example of a A record. where: api is a relative name IN is the INTERNET class (An other value is ANY) A is the A record 164.132.99.202 is the...
Gmail Show Original Email
What is a Email Message ? known as Internet Message or RFC822

An email is a document that is composed of the following structure one or more headers followed by a body that may be composed of multi-parts: Text part HTML part Attachment and Inline Images...



Share this page:
Follow us:
Task Runner