DomainKeys, DKIM and DMARC

Posted on May 13, 2014

By Tomki Camp, Director of  Support & Services

DomainKeys, or DK, was a signing technique implementation which contributed/evolved into DomainKeys Identified Mail, or DKIM. Since development efforts shifted into working on DKIM in 2004, there have been many improvements and far broader adoption of DKIM in email services. All new uses of email signing should use DKIM rather than DK, as the accepted successor technology.

When a sender begins making use of DKIM, their domain's email messages will have a DKIM-Signature header containing information about how the signing was performed, how long the signature is valid, what domain the signature is for, and a hash of the message's body and headers which allows the receiving server to check that the message has not been tampered with.

As one of the basic technologies behind the much more recent DMARC efforts, use of DKIM is very important for email senders to employ at the server level. DMARC success can be achieved by having a message pass DKIM, where the signing domain in the DKIM-Signature header matches up with the domain in the message's From header. Use of DK is actually not relevant to this result, and will not help messages pass DMARC.

An example DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=agari.com; s=s1024;
h=sender:date:from:to:message-id:subject:mime-version:precedence:
content-type:content-transfer-encoding;
bh=3cmdkmUuVXovPzflJz/5SvoymWJCXdNuzZSJ/iFp2QE=;
b=CrvHtImJPDKWucWcLuPRG3ranEQs8oJhtKF=

In this example signature, assume that it verifies as being a valid signature for the message it is from. To also pass DMARC, the email address in the message's From: header will have needed to be in the domain indicated by the signature's d= tag: agari.com.

This restriction is called identifier alignment, and provides the visibility connection between the authentication protocol (DKIM in this case) and the sender information that most users see (the From header).

Learn more abut DKIM, SPF & DMARC here

For more details on DKIM specifically and related subjects may be found here

Official resources on DMARC are here