Email Security Blog

DomainKeys, DKIM and DMARC

Tomki Camp May 13, 2014 DMARC
Fallback Featured Image

By Tomki Camp, Director of  Support & Services

DomainKeys, or DK, was a signing technique implementation which contributed/evolved into DomainKeys Identified Mail, or DKIM. Since development efforts shifted into working on DKIM in 2004, there have been many improvements and far broader adoption of DKIM in email services. All new uses of email signing should use DKIM rather than DK, as the accepted successor technology.

When a sender begins making use of DKIM, their domain’s email messages will have a DKIM-Signature header containing information about how the signing was performed, how long the signature is valid, what domain the signature is for, and a hash of the message’s body and headers which allows the receiving server to check that the message has not been tampered with.

As one of the basic technologies behind the much more recent DMARC efforts, use of DKIM is very important for email senders to employ at the server level. DMARC success can be achieved by having a message pass DKIM, where the signing domain in the DKIM-Signature header matches up with the domain in the message’s From header. Use of DK is actually not relevant to this result, and will not help messages pass DMARC.

An example DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=agari.com; s=s1024;
h=sender:date:from:to:message-id:subject:mime-version:precedence:
content-type:content-transfer-encoding;
bh=3cmdkmUuVXovPzflJz/5SvoymWJCXdNuzZSJ/iFp2QE=;
b=CrvHtImJPDKWucWcLuPRG3ranEQs8oJhtKF=

In this example signature, assume that it verifies as being a valid signature for the message it is from. To also pass DMARC, the email address in the message’s From: header will have needed to be in the domain indicated by the signature’s d= tag: agari.com.

This restriction is called identifier alignment, and provides the visibility connection between the authentication protocol (DKIM in this case) and the sender information that most users see (the From header).

Learn more abut DKIM, SPF & DMARC here

For more details on DKIM specifically and related subjects may be found here

Official resources on DMARC are here

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

Agari Blog Image

August 10, 2018 Patrick Peterson

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

Executive branch DMARC adoption hits 81%—but with roughly 90 days to go, most have yet…

mobile image