DKIM stands for DomainKeys Identified Mail. It is used to sign different header fields and body of an email in order to authenticate the sending domain and prevent message modification during transit.
It achieves this by using asymmetric cryptography which consists of public and private keys. The private key is private to the sender’s domain and used to sign the emails. The public key is published in the sender’s DNS so it can be retrieved by anyone receiving messages from the sender.
In essence, when an email is composed, its headers and body are signed using the private key of the sender to create a digital signature, which is also sent as a header field along with the email. On the receiver’s side (if DKIM enabled), the server retrieves the public key and verifies if the email was indeed signed by the sending domain. If the signature is successfully validated that proves that the sending domain sent the message and also that the headers and body of the message have not been modified during transmission.
The newest protocol that build upon DKIM is called DMARC. To see why DMARC is needed please click on the button below.
DMARC uses both DKIM and SPF. Click here to learn what SPF is.