DKIM
What is DKIM?
DKIMAn email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
DomainKeys Identified Mail (DKIM) is specified in RFC 6376. The sending Mail Transfer Agent generates an RSA or Ed25519 signature over selected headers (typically From, Subject, Date) and the body, then adds a DKIM-Signature header that names the signing domain (d=) and the selector (s=). Receivers fetch the public key from selector._domainkey.d.example.com (TXT) and validate the signature. DKIM survives most forwarding scenarios and provides the cryptographic identifier DMARC aligns against. Key hygiene matters: use 2048-bit RSA or Ed25519, rotate selectors, retire old keys, and protect private keys with HSMs or KMS, since exposed keys allow attackers to forge mail.
● Examples
- 01
An outbound mail server signs marketing emails with selector s1 and key d=example.com, allowing DMARC alignment.
- 02
Rotating a DKIM key by publishing a new selector before retiring the old one to avoid validation gaps.
● Frequently asked questions
What is DKIM?
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered. It belongs to the Network Security category of cybersecurity.
What does DKIM mean?
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
How does DKIM work?
DomainKeys Identified Mail (DKIM) is specified in RFC 6376. The sending Mail Transfer Agent generates an RSA or Ed25519 signature over selected headers (typically From, Subject, Date) and the body, then adds a DKIM-Signature header that names the signing domain (d=) and the selector (s=). Receivers fetch the public key from selector._domainkey.d.example.com (TXT) and validate the signature. DKIM survives most forwarding scenarios and provides the cryptographic identifier DMARC aligns against. Key hygiene matters: use 2048-bit RSA or Ed25519, rotate selectors, retire old keys, and protect private keys with HSMs or KMS, since exposed keys allow attackers to forge mail.
How do you defend against DKIM?
Defences for DKIM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DKIM?
Common alternative names include: DomainKeys Identified Mail.
● Related terms
- network-security№ 333
DMARC
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
- network-security№ 1076
SPF (Sender Policy Framework)
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
- network-security№ 095
BIMI
An email standard that lets domain owners display a verified brand logo next to authenticated messages in supporting clients, conditional on a DMARC policy of quarantine or reject.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.
- network-security№ 955
S/MIME
An IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
● See also
- № 058ARC (Authenticated Received Chain)
- № 819PGP
- № 446GnuPG (GPG)
- № 452Greylisting
- № 336DNS Blocklist (DNSBL)