top of page

What is DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is another method of Spam and Phishing fighting by Signing outgoing Mails using Cryptographic Signature. So that Recipient can validate and determine the Mail whether it is sent by  Authorized Mail System.

I have posted what is Sender Policy Framework (SPF) and how it works. DKIM is also another method like SPF wherein DKIM differs by Signing each mails with cryptographic Signature.

It is ideally another TXT Record which needs to be created in registered DNS Server. It is sender organization responsibility to Domain-keys for the Mail which is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through Cryptographic authentication.

“DomainKeys Identified Mail (DKIM) defines a domain-level authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages by either Mail Transfer Agents (MTAs) or Mail User Agents (MUAs). The ultimate goal of this framework is to permit a signing domain to assert responsibility for a message, thus protecting message signer identity and the integrity of the messages they convey while retaining the functionality of Internet email as it is known today. Protection of email identity may assist in the global control of “spam” and “phishing”.”

DKIM is developed and patented by Yahoo.!. For more details, 


How does it created?

Basically DKIM Record contains two parts one is Policy Records and Public Key Records.

1.Policy Records

A domain name using DomainKeys should have a single policy record configured. This is a DNS TXT-record with the name “_domainkey” prefixed to the domain name

– for example “”.

The data of this TXT-record contains “o=-” or “o=~”. “o=-” –> “all e-mails from this domain are signed”, and

“o=~” –> “some e-mails from this domain are signed”.

*Additional fields for test (t), responsible e-mail address (r), and notes (n) may also be included – for example “o=-; n=some notes”.

Normally Record will be,


2. Public Key Records

An e-mail message signed with DomainKeys will include a header item “DomainKey-Signature” containing the cryptographic signature and a few other fields including a “selector” (s=) –

for example:







Here, rsa-Sha1 is cryptographic signature algorithm, S is Selector which based on messaging system selection. Normally selector would be location of your messaging system from where it is originating mails here my selector is Bangalore  where my outbound server locator.

receiving e-mail server to verify this signature, it must first obtain the public key for the selector value. For above example, this is stored in a DNS TXT-record with the name “”. In other words, the name of this TXT-record is the selector (s=…) + ._domainkey. + the domain name. The data of this TXT-record is in the format “k=rsa; p=MHww…” where value after p= is the public key. Finally the DKIM record will look like this,


To create the DKIM Record and for Specification of DKIM.

2 views0 comments


bottom of page