How DKIM works?

DKIM (DomainKeys Identified Mail) :

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that is being sent. It is an email security standard designed to make sure messages are not altered in transit between the sending and recipient servers.

DKIM uses public-key cryptography. This means that there is a secret key, that only the signer of the message knows, and a public key that everyone knows and can be used to verify the message. The signer of the email (which can be different from the sender) creates the hash and the receiver of the email can verify the hash by using the public key which is published in DNS.

How DKIM works :

There are three main steps to the DKIM signing process. First, the sender identifies what fields they want to include in their DKIM signature. These fields, can include things such as the “from” address, the body and the subject as well as many others. These fields must remain unchanged in transit or DKIM authentication will fail. Second, the sender’s email platform will create a hash of the text fields included in the DKIM signature. The following text fields, for example,

From: Example “”
Subject: Update

will map to this hash string:

Once the hashstring is generated, it is encrypted with a private key, which only the sender has access to.

Finally, after the email is sent it’s up to the email gateway or consumer mailbox provider to validate the DKIM signature. To do it, they need to find the public key that will perfectly match the private key, thereby decrypting the DKIM signature back to its original hash string.

Then, the receiver generates its own hash of the fields included in the DKIM signature and compares it with the hash string they just decrypted. If they match, we know both that the fields in the DKIM signature were not changed in transit and the signer of the email truly owns the email.

DKIM DNS record example:

selector(s=)._domainkey.domain(d=). TXT v=DKIM1; p=public key

s= indicates the selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender. s= is included in the DKIM signature.

d= indicates the domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender. d= is included in the DKIM signature.

p= indicates the public key used by a mailbox provider to match to the DKIM signature.

Here is what the full DNS DKIM record looks like for 300 IN TXT “v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKQ1Dcff5lmH+uwAP/YdYN3b/

The selector (s=): 20190919
The domain (d=):
The version (v=): DKIM1
The public key (p=): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKQ1Dcff5lmH+uwAP/


v= is the version of the DKIM record. The value must be DKIM1 and be the first tag in the DNS record.

p= is the public key used by a mailbox provider to match to the DKIM signature generated using the private key. The value is a string of characters representing the public key. It is generated along with its corresponding private key during the DKIM set-up process.

k= indicates the key type. The default value is rsa which must be supported by both signers and verifiers.

g= is the granularity of the public key. The value must match the local-part of the i= flag in the DKIM signature field (i= or contain a wildcard asterisk (*). The use of this flag is intended to constrain which signing address can use the selector record.