What is DKIM?
DKIM stands for DomainKey Identified Mail, and it’s a way for the sender to indicate to the receiver that the message is authentic and unaltered. It’s been around since 2005, and it uses public key cryptography to add a digital signature to the email header. This signature is like a seal on your email “envelope” because it guarantees to the recipient that the email is from you and has not been altered in any way.
Public key cryptography uses a pair of keys to create signatures and verify them; a public key and a private key. The public key is published in your domain’s DNS record when you authorize the use of a public/private key pair for your domain. The private key is kept secret, usually by your Email Service Provider (ESP), because anyone who has the private key can send authentic email from “you.”
The private key has a known mathematical relationship to the public key. When an ISP receives an email signed with a private key, it can use that information to calculate the public key. It then checks to see if the public key it calculated matches the one in your domain’s DNS record. Calculating a public key using a private key is a quick mathematical operation. However, trying to use a public key to figure out the private key is much more complicated math that takes far too long to make it worth trying.
So how does this all work with DKIM? You send email from [email protected] using an ESP like SendGrid. To use DKIM, you authorize the use of a private key (that SendGrid stores) and publish the corresponding public key to your DNS. That’s all you have to do in order to use DKIM to protect your domain from phishing. The rest of the process is automatically done by the mail servers that send and receive your email.
It does get more complicated behind the scenes with your ESP. Different ESPs have different policies around the implementation of DKIM for their customers. Make sure the ESP you select uses an individual private key for each domain they send from. That way, your domain will have a unique private key. In addition, some emails get forwarded through other mail servers that may add their own DKIM signature to the email as they pass it through. This does not invalidate the original signature, but it can make understanding the authentication results (found in DMARC reports) more confusing. That’s why DKIM is only part of the solution for email authentication. To learn more about the other protocols, check out our info pages about SPF and DMARC.