DomainKeys Identified Mail

DomainKeys Identified Mail, also known as DKIM, is published as RFC 6376: (See https://tools.ietf.org/html/rfc6376.)

DKIM defines a standardized way for those who send email to digitally sign. This allows recipients to confirm with a high degree of assurance who the sender of the email really is, and whether or not the message was altered during transit. DKIM complements SPF by providing email senders with a way to digitally sign all outgoing email from their domain. DKIM is broadly supported by the world’s major email box providers, and is one of the two underlying authentication methods incorporated into DMARC.

DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the signer’s domain directly (in DNS) to retrieve the appropriate public key.

Overview: DKIM Involves Cryptography

Signing messages with DKIM involves creating a public key/private key pair.

After you create the key pair, you publish the public key in DNS, and you use the private key to create a hash (or “sign”) portions of the message.

When receivers receive your DKIM signed message, they check their signature against your public key. If there is a match, the message is considered to PASS DKIM signing.

DMARC Requires DKIM Identifier Alignment

The DMARC specification extends the notion of DKIM PASS.

To pass DMARC-DKIM, the message:

  • The message must be signed with a valid DKIM signature.

    • AND

  • The signed content of the message must not have changed.

    • AND

  • The DKIM signing domain must match the From domain as required by DMARC.

Identifier Misalignment is defined as messages passing DKIM checks for the DKIM signing domain, but the DKIM signing domain does not match the From domain as required by DMARC. This mismatch in domains causes a DMARC-DKIM failure.