DKIM Explained — The Cryptographic Backbone of Email Trust

Name: DMARC Analyzer Pro
Availability: InStock
Author: DMARC Analyzer Pro

March 2, 2025 · DMARC Analyzer Pro

DKIM uses cryptographic signatures to verify email integrity and sender identity. Understand how it works and why it's essential for DMARC.

DomainKeys Identified Mail (DKIM) adds a layer of trust to email that SPF alone cannot provide. While SPF validates where an email was sent from, DKIM validates that the email hasn't been tampered with in transit and that it was authorised by the domain owner.

How DKIM signing works

When a DKIM-enabled server sends an email, it creates a cryptographic hash of specific message headers and the body content. This hash is then encrypted using a private key that only the sending domain controls. The resulting signature is attached to the email as a `DKIM-Signature` header.

The receiving server extracts the signature, retrieves the corresponding public key from the sender's DNS records, and uses it to verify the hash. If the hash matches, the message is confirmed to be authentic and unmodified.

Why DKIM matters for DMARC

For DMARC purposes, DKIM is often more reliable than SPF. SPF breaks when messages are forwarded — the forwarding server's IP won't match the original sender's SPF record. DKIM, on the other hand, survives forwarding because the signature travels with the message.

This makes DKIM particularly important for organisations whose emails are frequently forwarded, autoforwarded, or processed through mailing lists. With DKIM in place and properly aligned, your messages will pass DMARC even when SPF fails due to forwarding.

Key management best practices

DKIM security depends entirely on the strength and protection of your private key. Use a minimum key length of 2048 bits — 1024-bit keys are increasingly vulnerable and may be rejected by some receivers. Rotate your keys periodically, at least once a year. When rotating, publish the new public key in DNS, update your signing configuration, and remove the old key only after sufficient time has passed for in-flight messages to be delivered.

Third-party DKIM signing

For third-party services sending on your behalf, configure them to sign with your domain rather than their own. Most major platforms support custom DKIM signing — they'll provide you with CNAME records to publish in your DNS that point to their DKIM keys. This ensures alignment with your From domain, which is what DMARC requires.

Check your DMARC reports regularly to verify that all your senders are producing valid, aligned DKIM signatures. Any misalignment will show up clearly in the authentication results section of your aggregate reports.