/diː-keɪ-ˈaɪ-ɛm/
n. “Sign it so they know it’s really you.”
DKIM, short for DomainKeys Identified Mail, is an email authentication standard that allows senders to digitally sign their messages using cryptographic keys. The recipient server can then verify that the email was indeed sent by the claimed domain and that the message has not been tampered with in transit.
When a domain owner sets up DKIM, a private key is used to sign outgoing emails, producing a header that accompanies the message. The corresponding public key is published in the sender’s DNS records. Receiving servers retrieve the public key and verify the signature, ensuring integrity and authenticity.
This is particularly effective at preventing email spoofing and phishing attacks. Without DKIM, a malicious actor could forge the “From” address to impersonate a trusted domain. With DKIM, recipients can detect whether the email genuinely originated from the domain in question.
For example, when sending an email from user@example.com, the sending server adds a DKIM signature. The recipient’s server checks example.com’s DNS for the public key and validates the signature. If valid, the message is more likely to be legitimate; if invalid, it may be flagged as spam or rejected.
DKIM is often used in combination with SPF and DMARC to provide layered email authentication. SPF validates the sending server’s IP address, DKIM ensures the message integrity, and DMARC instructs receivers on how to handle messages that fail these checks.
Beyond security, DKIM also helps with email deliverability. Messages with valid signatures are less likely to be marked as spam by modern email providers. It provides assurance to both senders and receivers, strengthening trust across the email ecosystem.
Setting up DKIM requires generating a key pair, publishing the public key in DNS, configuring the email server to sign messages, and periodically rotating keys for security. While implementation details vary by server software, the core concept remains consistent: sign emails cryptographically so recipients can verify authenticity.
In summary, DKIM is the cryptographic handshake of email. It proves the origin, ensures integrity, and acts as a safeguard against forgery. Combined with other authentication mechanisms, it is a cornerstone of modern email security.