DomainKeys Identified Mail (DKIM)

Sec+ Glossary 📖 • Email Security 📧 • Protocols 🔗 • Difficulty: premium

What is DomainKeys Identified Mail (DKIM)?

DKIM is an email authentication method that adds a digital signature to outgoing mail. Receiving servers use a public key published in DNS to verify the message was authorized by the sending domain and was not meaningfully altered in transit.

Examples

A company enables DKIM on Microsoft 365 so recipients can verify emails claiming to be from the company were actually signed by its domain.
A helpdesk platform signs outgoing ticket updates with DKIM so customers can trust the message content was not tampered with.

Discover 🔎

Email was designed to be flexible and interoperable, not secure by default. That means it is easy for attackers to impersonate domains unless the domain proves it authorized the message. DKIM is one of the main ways a domain proves that authorization. It works like a tamper-evident seal: the sender signs the email, and the receiver checks that signature using a public key published in DNS.

Remember: DKIM proves the message was signed by a domain and has not been changed in important ways. It does not, by itself, guarantee the visible sender identity matches what the user sees.

Summary 📝

DKIM adds a cryptographic signature to email so receivers can verify the message was authorized by a domain and that signed content was not altered. It uses a private key to sign and a public key in DNS to verify. DKIM improves trust and anti-spoofing posture, especially when combined with SPF and DMARC for domain alignment and policy enforcement.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.