What is a DKIM record?
A DKIM record, which stands for DomainKeys Identified Mail, is a type of DNS (Domain Name System) record that is used to help verify the authenticity and integrity of an email message. DKIM is a method of email authentication that involves adding a digital signature to the email’s header. This signature is generated using cryptographic techniques and is associated with the sending domain. Recipient email servers can then use this signature to verify that the email was indeed sent by the claimed sender and that its content hasn’t been tampered with during transit.
How does DKIM work?
Here is how a DKIM record works:
- Signing: The sending email server generates a unique cryptographic signature using the private key associated with the sending domain. This signature is created based on specific parts of the email, such as the message body and certain headers.
- DKIM Header: The sending server adds a DKIM header to the email, containing information about the domain’s DKIM configuration and the location of the public key that can be used to verify the signature.
- DNS Record: The public key corresponding to the private key used for signing is stored in a DKIM DNS record in the domain’s DNS settings. This public key is used by recipient email servers to verify the authenticity of the DKIM signature.
- Recipient Verification: When the email is received by the recipient’s email server, it retrieves the DKIM signature from the email header and uses the public key from the DKIM DNS record to verify the signature’s validity. If the signature is valid, it confirms that the email was indeed sent by the claimed sender and that its content hasn’t been altered in transit.
What happens if the DKIM is missing or invalid?
If the DKIM signature is invalid or missing, the receiving email server might treat the email with suspicion, potentially flagging it as spam or taking other measures to protect the recipient from potentially malicious or forged emails.