How Does DKIM Work - An Introduction to DKIM

Written by IRONSCALES | Oct 2, 2025 5:10:50 PM

The Simple Mail Transfer Protocol (SMTP) was introduced in 1982 as a way for two parties to exchange electronic mail using the Internet as a medium. The Internet was much smaller and safer back then, and like many other IT protocols from the early days, SMTP was not developed with security in mind. Over the years, threat actors have found and exploited many attack vectors against SMTP, such as intercepting plaintext email content, engaging in SMTP smuggling, exploiting sender domain impersonation, etc.

In this article, we focus on how you can protect against domain impersonation and, by doing so, reduce the risk of business email compromise (BEC) and increase our domain’s reputation. More specifically, we introduce DomainKeys Identified Mail (DKIM), one of the top three email security protocols that can make it harder for threat actors to abuse your domain for CEO fraud or other types of dangerous phishing emails. We cover different aspects of DKIM, from concepts to high-level implementation, as well as some common mistakes to avoid during this process.

Summary of key DKIM concepts

The table below summarizes different aspects of the DKIM protocol and common mistakes to avoid when using DKIM to enhance your email security.

Concept	Description
What is DKIM?	DKIM is an email security protocol that allows the recipient to verify the sender’s identity and the integrity of the email through cryptographic means.
How does DKIM work?	DKIM involves having the sender create a cryptographic key pair, publish the public key, and configure the mail server to sign emails digitally.
Security benefits of DKIM	DKIM enhances overall email security by verifying email authenticity, ensuring email integrity, and allowing you to maintain independence from your IT infrastructure.
Monitoring and maintenance	Monitoring and rotating the key pair by following security best practices are things to consider when using DKIM.
Common mistakes to avoid	Common trouble areas when implementing DKIM include misconfiguration, poor authoritative name server security, and not understanding important DKIM limitations.

In the rest of this article, we will cover the origin of DKIM, how it works, what the implementation workflow looks like, and some common mistakes to avoid during the process. While DKIM is not a silver bullet when it comes to email security, it can certainly boost your overall email security and domain reputation.

What is DKIM?

DKIM is one of the leading email authentication protocols and was published in September 2011 in RFC 6376. The goal of this RFC was to provide the domain owners and email recipients with the means to sign and verify emails, respectively.

To achieve this goal, DKIM relies on public-key cryptography. The domain owner generates a cryptographic key pair, makes the public key available to everyone on the Internet, and uses the private key to digitally sign the email. Everyone on the Internet can then use this public key to verify the digital signature of the signed email. Because the public key can only correctly verify signatures created by its private key counterpart (which only the domain owner possesses), the threat actor cannot impersonate the domain and send signed malicious emails on its behalf.

How does DKIM work?

While technical DKIM setup is covered in detail in a separate article, in this section, we explain the DKIM setup and email delivery in theory to help create an understanding of the overall process and email workflow from the sender to the recipient.

Here’s a description of the process that DKIM follows:

Before an email is sent, the domain owner creates a cryptographic key pair, often using the RSA algorithm.
The domain owner then creates a new DNS TXT record for its domain, which contains the generated public key as a value.
The domain owner or email security administrator configures the sender’s mail server by specifying the private key to be used for signing the email (as created in Step 1). Furthermore, depending on the email infrastructure, the MTA software (e.g., Postfix, Exim, etc.) or outbound SMTP relay (e.g., Gmail, M365, etc.) is configured to specify what email headers and/or body need to be signed for outbound emails.
A user in the domain uses an email client to send an email to a recipient.
The email client forwards the email to the mail server the domain uses, signs it with the private key, adds a new email header (DKIM-Signature), and sends it to the destination.
The recipient’s mail server uses the DKIM-Signature email header in the email to extract the sender’s domain name and the <selector>, which are needed to identify the DNS TXT record containing the public key for the signature verification.
Once the public key for the sender’s domain is retrieved, other properties of the DKIM-Signature email header are used by the recipient’s mail server to understand how to verify the signature, e.g., the algorithm used, the specific email headers included in the signing process, etc.
If the digital signature verification succeeds, the email is accepted and sent to the recipient’s mailbox. If it fails, this is an indication that the signature was forged, and the email will be rejected, quarantined, or marked as spam, depending on the recipient’s mail server configuration.

DKIM verification workflow performed by the recipient’s mail server

Security benefits of DKIM

Implementing DKIM has certain advantages when it comes to email security, or when it is compared with the Sender Policy Framework (SPF). Some of these benefits include the following:

Guaranteeing email authenticity: By digitally signing emails with cryptographically secure algorithms, DKIM ensures that the recipient of the email that it originated from your domain. No one else can forge the same email without possessing the private key your mail server uses to sign legitimate emails.
Ensuring email integrity: DKIM enables you to verify the integrity of the email by checking the hash of the email body to avoid any email content changes in transit or on a compromised recipient’s mail server. While a threat actor can manipulate the email body in transit or on the recipient’s side and calculate a new hash, they cannot create a new valid digital signature for this hash without possessing the private key you used to sign the email.
Independence from your IT infrastructure: SPF requires the domain owner to specify a list of IP addresses or domains that are authorized to send emails on behalf of this domain. However, migrations to the cloud or SaaS email providers, infrastructure modernization, or other IT changes might greatly influence your email infrastructure. This requires a constant adjustment of your DNS TXT record for SPF. Otherwise, all emails you send from new IP addresses will be rejected by the recipients due to the SPF failure, which might have a business impact. DKIM doesn’t have this IT infrastructure dependency, as it only requires a cryptographic key pair to function, and you only need to point your mail server to the private key for it to sign your emails.

It is worth noting that while there are different secure public key cryptography algorithms that can be used with DKIM, all these protocols will no longer be cryptographically secure once significant breakthroughs are made in quantum computing.

Monitoring and maintenance

It is important to understand that DKIM, like many other protocols, requires monitoring and periodic maintenance. For example, we saw above that DKIM relies on hashing algorithms to hash the email body and uses cryptographic keys of a certain length. While a hashing algorithm or the key length might be considered secure at the moment, the constant advance of computers makes the risk of hash collisions or cryptographic attacks against crypto-keys even more probable. That is why it is important to periodically reevaluate your DKIM implementation and make the necessary changes.

Furthermore, since DKIM makes use of cryptographic keys, it is a common best practice to periodically rotate these keys, just like passwords or API keys. This way, even if the private key is compromised somehow and you aren’t aware of it, rotating the key pair will make the old private key invalid.

Finally, since your company might also have configured SPF and DMARC, monitoring and maintaining all three protocols separately might be cumbersome. To avoid this, consider using a solution that allows you to easily and swiftly change your DKIM, SPF, and DMARC settings as well as generate health reports about their status.

Common mistakes to avoid

When implementing DKIM, it is important to keep in mind a few potential pitfalls that might undermine the security that DKIM provides:

Misconfiguration: Not all mail security administrators are experienced in cryptography or understand how DKIM technically works “behind the scenes.” When configuring DKIM, the secure storage of the private key is of utmost importance. While this might sound trivial, in practice, mail security administrators sometimes incorrectly handle cryptographic private keys, often not understanding the consequences of it. If this private key gets compromised, the threat actor can impersonate your domain and forge valid, malicious phishing emails with it. Additionally, a misconfiguration on the mail server might hinder email delivery, having a business impact. That is why careful testing on non-production environments is suggested before implementing DKIM in production.
Poor security on your authoritative name server: This server is responsible for holding your DNS records. If it is misconfigured or vulnerable, a threat actor might compromise it and add a new DNS TXT record for DKIM containing an attacker-controlled public key. Since the threat actor possesses the private key counterpart, they can impersonate your domain in phishing emails.
Not understanding DKIM limitations: While DKIM can greatly increase your mail security, it is not a silver bullet for the phishing problem. You should keep in mind that DKIM can only help you if a threat actor is abusing your exact domain name in a phishing campaign. If the threat actor, however, registers a typosquatting domain that is similar to your domain but not the same, DKIM will not be effective. Since the threat actor owns the typosquatting domain, they can also configure DKIM to sign their malicious emails, increasing their reputation and the probability that the recipient's mail server accepts them. That is why, to cover this DKIM limitation, it is advisable to always have a defense-in-depth approach against phishing by regularly performing security awareness training and phishing simulation. This way, even when threat actors get creative and abuse novel techniques, your employees remain up to date with the latest trends and tricks.

Summary

DKIM is one of the top three mail security protocols that your company can implement to reduce the risk of domain impersonation in phishing emails. In this article, we covered the DKIM protocol in depth, including its high-level implementation, the security benefits it provides, and common mistakes to avoid when enforcing it. It is important to keep in mind that DKIM is not a fire-and-forget task. Periodic monitoring and maintenance are required to make sure that the email flow is not interrupted and that the cryptographic material used for DKIM follows the security best practices.

View full post