The DKIM email authentication method: what is it?

Email scams that rely on sender forgery, like spoofing and phishing, have been around since the mid-1990s. However, they’ve gotten increasingly sophisticated, affecting more people and causing more harm to both individuals and organizations.

This is why ISPs pay special attention to the sender’s reputation: identifying a sender that’s been reported as spam means securing the recipient from a communication which, at best, is just unwanted and, at worst, might disguise a phishing attempt.

DKIM is considered one of the most trusted email authentication methods and can help enhance your deliverability. Generally speaking, email authentication methods boost inbox deliveries by providing verifiable information through your messages, proving the emails that you sent belong to you.

DKIM (DomainKeys Identified Mail) is an authentication method that allows the sender to associate a message with a domain name. This way, the recipient can verify its authenticity and check out the sender’s reputation shown in the From field.

Technically, DKIM provides a method for validating a domain identity linked to a message through encrypted authentication. Essentially, DKIM allows the email sender to take responsibility for a message in transit. Let’s zoom in a bit.

What’s DKIM for?

DKIM is an encrypted key linked to a domain name. It works as the sender’s digital signature on every email that he or she sends. The recipient’s server can use it to verify the authenticity of the sender’s message.

This protocol can block email spoofing, phishing, and spam since the recipient’s email client can check the sender’s reputation before delivering the message to the recipient.

DKIM is a guarantee since the domain name’s owner in the signature claims responsibility for the message. Therefore, if the message has no value, then the owner risks his or her own reputation.

Why use DKIM in Email Marketing?

The sender authentication method is important for two reasons:

• it confirms that the authenticated domain actually sent the email
• it confirms that the content was not altered during delivery.

DKIM is considered the most reliable email authentication method and can increase your deliverability. Sender reputation is a key factor for ISPs. Email authentication methods let you equip your messages with verifiable information to prove their value.

The sender’s Mail Transfer Agent (MTA) generates the signature using an algorithm for the content of the signed fields. This algorithm creates a unique string of characters or a “hash value”. When the sender’s MTA generates the signature, the public key used to generate it gets stored in the listed domain.

After receiving the email, the recipient’s MTA verifies the DKIM signature by retrieving the signature holder’s public key via DNS. The recovered key is used to decrypt the hash value in the email header and, at the same time, recalculate the hash value for the received email. If these two keys match, then the message is considered DKIM-authenticated.

If the message has a valid signature, then the signing domain identified by the d= tag will tell recipients who the sender is. This way, the reputation assessment systems can check out the details on that domain and decide whether to deliver the mail to the inbox or spam folder.

The email client will check the public key in the DNS record to verify if the sending domain is correct. You can see this record at: http://dkimcore.org/tools/keycheck.html.

What’s the difference between DKIM and SPF?

Although they look similar, don’t confuse DKIM with the Sender Policy Framework (SPF).

DKIM authentication can be considered the next step after the SPF protocol: SPF authorizes an IP address or domain to send messages, while DKIM records add the encrypted digital signature to validate such authorization.

The biggest difference between these two methods is that DKIM encrypts each message independently. This makes the value of the DNS record used to validate the mail not unique. The drawback of this system is that DKIM consumes a large amount of resources on both the source and the destination server since each of the emails sent and received needs to be encrypted and decrypted.

How does a DKIM signature get recorded in a message?

Let’s take an example from the dkim.org site:

DKIM-Signature a=rsa-sha1; q=dns
     d=example.com
     i=user@eng.example.com
     s=jun2005.eng; c=relaxed/simple
     t=1117574938; x=1118006938
     h=from:to:subject:date
     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
     av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

The DKIM signature is recorded as an RFC2822 header field for the signed message.

Using DKIM can improve mail deliverability along with delivery to your contact database inboxes. But look out: DKIM doesn’t highlight spam. In reality, its value is detected after sending various messages associated with a domain name. At that point, the experience about the signature holder allows the ISPs to decide whether the message should be delivered to the inbox or spam.

It all depends on the users’ behavior when they open the message: do they interact with the elements contained in the email, or do they delete it right after opening it? This is a really useful hint in assessing an email’s value.

Now, do you see why it’s good to use DKIM in authenticating your emails? Harness this technology and increase the number of correctly delivered messages to your contacts to boost your Email Marketing strategy’s conversion rate.