What you need to know: DKIM Signatures

October 12, 2023  |  5 min read

What is a DKIM Signature?

There are several different email authentication protocols, but only one has a top-secret encrypted digital key. A DKIM signature assists mailbox providers in verifying your identity as the sender while combating email spoofing attacks. The Key to Email Authentication!

Basically, DKIM helps you sign important letters with invisible ink and makes it clear that the message is from you and not from anyone else. However, it isn’t quite that simple.

Let’s take a closer look at the DomainKeys Identified Mail protocol.

Why we need DKIM signatures

Communicating with people via email is a valuable asset. Unfortunately, cybercriminals are out there looking to take advantage of the trust that brands have earned with their consumers and subscribers.

Scammers infiltrate inboxes by impersonating your brand’s emails and web pages, tricking people into installing malware or disclosing sensitive information. This may include bank accounts, credit card numbers, social security numbers, or login information for online accounts. Email spoofing easily leads to identity theft.

Improving inbox security.

Although the Simple Mail Transfer Protocol (SMTP) is the industry standard for sending emails over the internet, it does not provide a mechanism for verifying the sender before the email is delivered. Thus, it makes it possible for spammers and scammers to fill inboxes with junk and attempt to spoof or disguise trusted brands.

Authentication protocols have improved email security over the last few decades by linking information from email headers to records published to the sender’s Domain Name Server (DNS).

The DKIM signature is one of these protocols. It detects forged sender addresses by using an encrypted key.

DKIM is a combination of DomainKeys developed by Yahoo and Cisco’s Identified Internet Mail in 2004. The DomainKeys section is designed to verify the email sender’s DNS domain, and the identified internet email is the digital signature part of the specification.

The most prominent mailbox providers such as Google, Apple Mail, and Outlook look for DKIM signatures when authenticating emails.

How does a DKIM signature work?

DKIM allows senders to associate email messages with specific domains., just like other email authentication mechanisms. The legitimacy of the email is guaranteed by DNS entries. DKIM, on the other hand, uses an encrypted digital signature to accomplish this.

DKIM’s DomainKeys include a public key that is broadcast on the DNS record and a private key that is included in the email header. The encrypted digital signature is the private key, which should be unique to the sender and match what’s broadcast on the DNS.

A DKIM signature informs mail transfer agents (MTAs) where to access public key information, which is used to validate the senders identity. If the two keys match, the email is more likely to be sent to the inbox; if they don’t match or the email lacks a DKIM signature, it is more likely to be rejected or screened as spam.

DKIM does not filter email, but it assists the receiving server in determining how to best filter incoming messages. A message’s spam score is often reduced when DKIM verification is successful.

How to read a DKIM header

You’ll need to generate a DKIM record and place it on your DNS in order to use DKIM to protect your brand from spoofing and your subscribers from scammers. Getting assistance from your IT department or your email service provider may be necessary (ESP).

Below is an example of a DKIM signature (recorded as an RFC2822 header field) for the signed message:

Let’s break down the DKIM headers one by one. Each “tag” is assigned a value that contains information about the sender **.**

Tags in a DKIM header

TagDescription
bThe actual digital signature of the content (header and body) of the email message
bhthe body hash
dthe signing domain
sthe selector
vthe version
athe signing algorithm
cthe canonicalization algorithm(s) for header and body
qthe default query method
Ithe length of the canonicalized part of the body that has been signed
tthe signature timestamp
xthe expire time
hthe list of signed header fields is repeated for fields that occur multiple times

Note: The above-highlighted tags are required. A DKIM signature that lacks these tags will generate an error during validation **.**

We can see from this DKIM header that:

The digital signature is **dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.**

This signature is compared to that of the sender’s domain.

  • The body hash is not listed.
  • The signing domain is example.com. It is the domain that sent (and signed) the message.
  • The selector is jun2005.eng.
  • The version is not listed.
  • The signing algorithm is rsa-sha1.It generates the signature.
  • The canonicalization algorithm(s) for the header and body are relaxed/simple.
  • The default query method is DNS. It is used to look up the key on the signing domain **.**
  • The length of the canonicalized part of the body that has been signed is not listed. The signing domain can create a key from the entire body or just a section of it. This section would have been included.
  • The signature timestamp is 1117574938. This is when it was signed.
  • The expiration time **is 1118006938.**This is because an already signed email can be reused to “fake” the signature, signatures are set to expire.
  • The list of signed header fields includes from:to:subject:date. It is the list of fields that have been “signed” to verify that they have not been modified.

We are aware that’s a lot of technical information. Fortunately, there are tools available to email marketers to create DKIM records.

How to verify a DKIM signature

DNS records and DKIM signatures can be difficult to understand. There are internet tools that can assist you to verify that your email authentication mechanisms are configured appropriately.

Use the free Skysnag DKIM Record Check tool to verify DKIM

Sending an email to a Gmail account is another way to test DKIM. Open the email in the Gmail web app, click on the down arrow next to the “reply” button (top right of email), and select “show original.” If you see “signed-by: your domain name” in the original, your DKIM signature is valid. Yet keep in mind that you only see the DKIM signature if you have access to the email you are sending it to. The only way to check for all

Improve deliverability before you hit send

There are numerous compelling reasons to use email authentication protocols. Improving deliverability is at the top of the list. If you don’t use email authentication, mailbox providers are more likely to filter your messages into junk mail and spam folders.

To understand this better:

DKIM uses a private key to authenticate email:

1- Sending service publishes its public key in the DNS record

2- Sending service will use the private key to sign the message to generate the DKIM signature header and attach it to the email sent

3- “d tag” = sender domain / s tag = subdomain –

4- the receiving service (Gmail) will query THE DNS EXAMPLE: s.domainkey.domain.com to obtain the public key

5- the receiving service (Gmail) will then validate the DKIM signature that is attached to the email with the obtained public key if the signature is valid -> DKIM Passes

Conclusion

Skysnag automates DMARC, SPF, and DKIM for you to increase email deliverability. With that being said, avoid email spoofing attacks with Skysnag’s automated software which allows you to confirm the validity of emails. Sign up using this link for a free trial today and ensure your organization’s DKIM signature is set up correctly. 

Check your domain's DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.