$linuxjunkies
>

DKIM

also: DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) is an email authentication method that uses cryptographic signatures to verify that messages from a domain are legitimate and haven't been tampered with.

DKIM allows domain owners to digitally sign outgoing emails with a private key. Recipients' mail servers can verify the signature using the domain's public key published in DNS, confirming the message originated from that domain and wasn't altered in transit.

DKIM works by adding a signature header to each email containing a hash of the message content. The recipient's server retrieves the public key from the sender's DNS records (typically a TXT record) and verifies the signature matches. If verification fails, the email is marked as unsigned or unauthenticated.

Example: A server sending mail from example.com signs the message with its private key. When Gmail receives it, Gmail queries default._domainkey.example.com in DNS to get the public key, verifies the signature, and can trust the message truly came from example.com rather than a spammer spoofing that domain.

DKIM is one of three email authentication standards, alongside SPF and DMARC, and is widely used by mail providers to combat phishing and spam.

Related terms