Skip to content
Hunto AI Hunto AI Knowledge Base

DKIM

In the DMARC framework, DKIM (DomainKeys Identified Mail) is the second major authentication method used to verify an email’s legitimacy. While SPF is concerned with which servers are allowed to send mail, DKIM is focused on proving that the email itself is authentic and has not been tampered with.

Just like with SPF, DMARC’s use of DKIM goes beyond a simple validation check; it requires “alignment” to be considered a success.

1. What is DKIM? (The Foundation)

Section titled “1. What is DKIM? (The Foundation)”

It’s best to think of DKIM as a cryptographic, tamper-proof seal on an email.

Here’s how it works:

  1. The sending mail server uses a private key to create a unique digital signature. This signature is calculated based on the content of the email (like the body and specific headers).
  2. This signature is then attached to the email as a header.
  3. The corresponding public key is published in your domain’s DNS as a TXT record.

When a receiving email server gets the message, it retrieves the public key from your DNS and uses it to verify the signature. If the signature is valid, the receiver can be confident of two things:

  • The email was genuinely sent by a server authorized by your domain.
  • The email’s content has not been altered in transit.

Purpose: DKIM’s primary job is to ensure message integrity and cryptographically prove the sender’s identity.

2. How DMARC Uses DKIM

Section titled “2. How DMARC Uses DKIM”

DMARC takes the result of the DKIM check and adds its own layer of verification.

DMARC asks two questions regarding DKIM:

  1. Is the DKIM signature on the email valid (i.e., is the seal unbroken)?
  2. Is the DKIM signature “aligned” with the “From” address?

3. The Crucial Concept: DKIM Alignment

Section titled “3. The Crucial Concept: DKIM Alignment”

This is the critical link between DKIM and DMARC.

DKIM alignment means that the domain listed in the DKIM signature (known as the d= tag in the signature header) must match the domain in the visible “From” address that the user sees.

Why is this so important? Without alignment, anyone could send an email with a valid DKIM signature from their own domain (evilcorp.com) but put your company’s address ([email protected]) in the “From” field. The signature would be technically valid, but it wouldn’t be from the domain it’s pretending to represent. DKIM alignment prevents this deception.

Summary

Section titled “Summary”

In the DMARC ecosystem, DKIM’s role is to provide message integrity and sender authenticity. It answers the question, “Is this email’s content trustworthy and was it sealed by the claimed sender?”

For DMARC to pass, an email needs at least one aligned pass from either SPF or DKIM. An aligned DKIM pass is particularly powerful because it travels with the email (unlike SPF, which can break with email forwarding). For DMARC, a valid DKIM signature is only useful if it is also an aligned DKIM signature.