Secure Email - Part 2: Understanding and using DKIM records

Learn how to implement DKIM records for secure email communication in Part 2 of our series.

Secure Email - Part 2: Understanding and using DKIM records

The second Part in our series about secure Email DNS Records.

Part 1: Understanding and using SPF
Part 2: Understanding and using DKIM
Part 3: Understanding and using DMARC

DKIM stands for DomainKeys Identified Mail, it helps associate a domain with an email message to help prove the authenticity of the message. DKIM is a successor of DomainKeys developed by Yahoo!, it was deprecated in 2007 but some providers still use it. DKIM was created by an informal group and was submitted to IETF for further development and standardization. DKIM uses public key encryption for signing.

How It Works

The sender (sometimes the signer, not always, for example GMail signs it's users' message, not the users) adds a mail header field DKIM-Signature:, the receiver (not necessarily the recipient, it may be the ESP/MTA, like GMail, Yahoo! etc.) recovers the signer's public key from their DNS records - which is computed using details provided in the DKIM-Signature: header field - which is used to verify the contents of the message & it's integrity.

A DKIM-Signature: header field contains many name-value pairs, know as tags. Names are short maximun one or two letters. The b tag contains the digtal signature of the mail contents (body & headers), bh stands for the body hash i.e. a fingerprint of the body - which can be used to detect tampering, s is for selector which needs to used when fetching the public key from DNS record, d is for signing domain. These are the most important tags, there are other tags which provides the DKIM version, cryptographic algorithm, etc being used.

The receiver/receiving MTA uses the public key to match the signature provided, thereby knowing whether the message is genuine or not, also whether if it was tampered with or not.


Depending on your Service DKIM is normally enabled by default. If not, your provider can provide the DKIM values you have to add to your DNS. For Bamboozle Services, DKIM is enabled by default, securing your Mail.

Further reading

DKIM alone will not completely protect your email. The combination of SPF and DKIM into a DMARC entry is considered the most secure setup for email.