Glossary
DKIM
DomainKeys Identified Mail
What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the sender to digitally sign their messages. This signature proves:
- The message was sent by an authorized sender for the domain
- The message content hasn't been altered in transit
- The headers specified in the signature are authentic
How DKIM Works
- Generate key pair - Domain owner creates public and private keys
- Publish public key - Public key is added to DNS as a TXT record
- Sign outgoing email - Mail server uses private key to sign messages
- Recipient verifies - Receiving server retrieves public key from DNS
- Signature validated - Public key decrypts signature to verify authenticity
DKIM vs SPF
While both authenticate email, they work differently:
| SPF | DKIM |
|---|---|
| Checks sending server IP | Checks message signature |
| Can break with forwarding | Survives forwarding |
| Validates envelope sender | Validates message content |
| Simple to implement | Requires key management |
Both should be used together with DMARC for complete email authentication.
DKIM Alignment
For DMARC purposes, DKIM must be "aligned" - the domain in the DKIM signature must match the domain in the From: header. Alignment can be:
- Strict - Exact domain match required
- Relaxed - Organizational domain match (subdomains allowed)