DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail) is an email authentication protocol defined in RFC 6376 that allows a domain owner to cryptographically sign outgoing messages. The signature is attached as a header and can be verified by the recipient's mail server using a public key published in the sender's DNS records. A valid DKIM signature confirms the message originated from the claimed domain and that specific headers and the body have not been altered in transit.

DKIM is a foundational control against email spoofing and phishing, as it provides cryptographic proof of message origin and integrity. Without it, attackers can trivially forge the From address and impersonate legitimate organizations. DKIM also feeds into DMARC policy enforcement, making it a critical layer in a complete email authentication stack.

The sending mail server generates a hash of specified message headers and the body, then signs that hash using a private RSA or Ed25519 key. The resulting signature is inserted into the message as a DKIM-Signature header, which references the signing domain and a selector string. The selector is used by the recipient's mail server to construct a DNS TXT query (e.g., selector._domainkey.example.com) and retrieve the corresponding public key. The recipient verifies the signature against the retrieved public key and recomputes the body hash to confirm integrity. If the signature is missing, expired, or does not match, the message fails DKIM validation and may be rejected or quarantined depending on the domain's DMARC policy.