DKIM doesn't have to be difficult: A simplified guide

Of the three standards that make up Domain-based Message Authentication, Reporting, and Conformance (DMARC) itself, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM), DKIM is the least well-understood. You might hear that it has something to do with encryption or that it prevents interception of emails, and while it’s understandable how people think this, it’s not 100% accurate.

In this blog, I aim to do a few things: first, I’d like to help explain what DKIM does and doesn’t do and why it’s important. Second, I want to highlight where I often see DKIM implementations go wrong. Finally, I’d like to introduce some of Sendmarc’s tools that make DKIM management much easier (such as our DKIM checker tool and our DKIM Key Generator).

DKIM email authentication

What is DKIM?

Let’s start with the basics. DKIM’s main role is to allow email receivers to verify whether a message has been altered before it lands in the intended inbox. DKIM does not prevent emails from being intercepted and read but provides recipients with a way to verify whether the email was modified.

DKIM does this by allowing the domain owner to attach a cryptographic signature to emails sent from their domain. The recipient’s server authenticates this signature to ensure the message’s integrity and legitimacy. The DKIM record, stored in the Domain Name System (DNS), holds the public key this verification uses.

Think of DKIM as a wax seal on a message sent by some king in the olden days. When a noble receives that message, they know that no one messed with it because the wax seal is intact. Sure, a bandit might’ve gotten a peek at some of the words by lifting the side of the letter, but they wouldn’t be able to change the message. DKIM works similarly, protecting your emails from alteration on the way to the recipient.

How does DKIM work?

Let’s get a closer look at what’s going on under the hood. DKIM relies on a private and public key pair to authenticate an email. The DKIM process relies on both the sender and receiver to validate a message. Here’s how it works:

1. Sender’s action: The sender’s server uses a private key to create a unique signature based on the email’s contents. This signature is added to the email header. The header isn’t visible to the average user.
2. Recipient’s verification: Once the message lands in the receiver’s email server, the recipient’s server fetches the sender’s public key from the DKIM record in the DNS. It uses this key to authenticate the signature by comparing it with what was created by the private key. The server then confirms that an authorized source sent the email and that it wasn’t tampered with.

Why is DKIM important?

Now that we’ve gone through the how—let’s have a look at why. DKIM is an incredibly powerful tool for multiple reasons:

• Prevent email tampering: Protect recipients from Man-in-the-Middle attacks. A common form of this cyberthreat consists of a recipient receiving an edited version of an email originally sent from a trusted source.
• Enhance deliverability: Legitimate emails are less likely to be flagged as Spam or rejected. It’s used (with SPF) to authenticate emails via DMARC.
• Survive auto-forwards: As long as an email isn’t altered after leaving its source, the DKIM signature will be authenticated. This means that receivers can validate and accept these messages after the original recipient, even if other verification methods don’t.
• Strengthen reputation: Show customers your business invests in secure and trustworthy email practices, building their confidence in communications.

Navigating DKIM implementation

If it’s such a strong tool, why do so many organizations still not get it right? I believe that many companies simply lack knowledge about DKIM as a whole – after all, how can your business leverage a tool it doesn’t know exists?

The other reason is due to a lack of visibility. At Sendmarc, we’ll often run into organizations that have implemented DKIM on their main email environment (such as Microsoft Entra/365) but not on their email marketing platforms. On these platforms, a DMARC solution plays a huge role in finding hidden senders.

Even for companies that understand DKIM and know how to implement it, challenges like key rotation, DMARC alignment, and record length can still weaken email security. Our latest blog breaks down these issues and how Sendmarc makes DKIM management effortless. Read the full blog here.