DKIM what is it and why I need it?

What is DKIM


Basically DKIM is a cryptographic technique, used to create a unique signature for any email you are sending. It allows few things:

  • detect if the content of the email has been altered between sending and reception (prevent man in the middle attack)
  • validate that the sender is the owner of the From domain used to send the email

DKIM is currently a mandatory standard to setup on any sending domain, to be able to deliver emails properly, it is provided by all serious email providers (ESPs) and improve deliverability for the emails sent.

As I said, most of the ESPs are actually signing 100% of their customer's traffic using DKIM (even if you don't know) and usually when you are creating an account on such provider, you need to define/register your sending domain, or at least the sending addresses you will use to send emails. -> here is the interesting part, by default your ESP will probably insist to have you configuring several DNS records on your domain, but most of time that steps are not mandatory. If you do not setup that DKIM key on your DNS zone, your provider will sign your email using its own dkim domain and key to sign, meaning the header From domain will not be aligned with the DKIM domain, which is one common reason for a spambox delivery.

What it does in practice:

  • the sending server (MTA) use a cryptographic private key to generate a signature of your email, and will insert that signature in the headers of the email sent.
  • the email is sent to the recipient server declared on the recipient domain's MX
  • that recipient server get the email content, extract the signature included, get the public key from the sending domain's DKIM DNS record
  • recipient server will verify if the signature is valid, and if the content of the email received match with the signature included on the email received