DKIM Signature: What is it and how does it work?

DKIM Signature: What is it and how does it work?


DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures the secure delivery of emails. DKIM uses digital signatures to confirm whether the email was sent by an authentic domain.

A DKIM signature is a header that is appended to emails. This header provides values that enable a recipient mail server to validate an email message by looking up the sender's public DKIM key and verifying it with the email’s encrypted signature. 

Here is an example of a DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google;




The tags used are:

  • v, version
  • a, signing algorithm
  • d, domain
  • s, selector
  • c, canonicalization algorithm(s) for header and body
  • q, default query method
  • t, signature timestamp
  • x, expire time
  • h, header fields - list of those that have been signed
  • bh, body hash
  • b, the signature of headers and body

Signatures are by definition unique from message to message. However, ‘d=’ for the signing domain, ‘b=’ for the actual digital signature, and ‘bh=’ for a hash that can be verified by recalculating using the sender’s public key, are the basic elements present in every DKIM signature header.

Before creating a DKIM signature, the sender must decide which components of the email should be included in it. This usually consists of the message's body as well as certain default headers. If certain elements in the DKIM signature are modified after it has been created, the DKIM validation will fail. 

The Importance of DKIM Signatures 

Since the invention of email, SMTP has been used as the standard to deliver emails. SMTP, however, fails to verify the original sender or establish the legitimacy of the email. This has allowed several phishing attacks and email fraud attempts to successfully rob victims of data and money over the years. To solve this problem, email authentication protocols and standards like DKIM were introduced. 

DKIM signatures are the key to email authentication and are an essential part of the DKIM protocol. They use an encrypted key to recognize registered senders on a DNS. If the key doesn’t match, DKIM immediately alerts the provider of the forged email address.

DKIM signatures are being used worldwide by major providers such as Google, Yahoo, and Outlook. 

How Does a DKIM Signature Work? 

The DKIM signature is detected by email receivers such as Gmail and Microsoft (Hotmail, Outlook, etc.). In the encryption process, this DKIM signature indicates which domain was used to sign the email. The email receiver will do a DNS query to look for the public key for that domain in order to validate the DKIM signature. 

To identify where to look for this key, the variables specified in the DKIM signature are used. If the key is discovered, it can be used to decrypt the DKIM signature and restore the hash values to their original state. The new values collected from the received email are compared to these values. The DKIM is considered valid if the values match.