spfXio.com makes it easy for you to implement an effective DKIM record using our management platform.  While we may make it easy, we encourage anyone responsible for domain email security to develop a foundational knowledge of DKIM, its purpose, how it is implemented, and how it is verified.

What is Domain Keys Identified Mail (DKIM)? 

DKIM is a protocol defined by the Internet Engineering Task Force (IETF) that provides a mechanism for email senders to digitally sign a message and receivers to verify digital signatures.  DKIM verification is accomplished primarily by publishing the public DKIM key in a sending domain’s DNS, which can then be requested and used by email receivers for verification.  For a full technical understanding, it is best to read, re-read, and then read again the IETF document  found at  https://datatracker.ietf.org/html/rfc6376.   

The following diagram provides a walk-through and logical evaluation of DKIM verification in action.

 

Sender Policy Framework (SPF) Explained

 

DKIM Evaluation during an SMTP Conversation

  1. orga.com sends an email to orgb.com through smtp.orga.com server with IP Address 10.100.225.100 and applies a digital signature using the private key of orga.com
  2. orb.com receives the email, extracts the DKIM signature, and performs a TXT record lookup for a public domain key published at orga.com.  
  3. The received public key is used to verify the DKIM signature extracted from the received email headers.
  4. If the signature is verified, DKIM authentication provides a pass result.

 

DKIM Results

DKIM results are used by receiving servers to determine if received emails were digitally signed by an authorized entity.  A DKIM pass result is a clear determination that the sender was authorized to digitally sign an email on behalf of the sending domain.  Although DKIM provides a means of verifying if a received email was authorized by a sending domain, it provides no instruction on how to disposition emails received that fail DKIM authentication.