What is the main purpose of DKIM?

The main purpose of DKIM is to allow the recipient email server to verify that an email was indeed authorized by the sending domain and that the message has not been altered since it was sent, ensuring message integrity and sender authentication.

Can DKIM stop an email from being changed?

No, DKIM itself does not prevent email modifications. Its function is to detect if an email has been altered after it was signed. If changes occur, the DKIM signature will fail validation upon receipt.

What happens if a DKIM signature fails?

When a DKIM signature fails, the receiving email server uses the domain's DMARC policy to decide how to handle the message. This could mean quarantining the email (sending it to spam), rejecting it entirely, or simply monitoring the failure without taking action.

What are common reasons for DKIM failures?

Common reasons for DKIM failures include malicious tampering, legitimate modifications during email forwarding , mailing list alterations, or automated systems adding footers or modifying links, which all invalidate the original signature.

How does DMARC relate to DKIM?

DMARC leverages DKIM (and SPF) authentication results to provide an enforcement policy. It tells receiving servers what to do with emails that fail these checks, ensuring that only authenticated emails from a domain are delivered as intended. Monitoring DMARC reports is crucial for effective implementation.

Does DKIM prevent email modification in transit? - DKIM - Email authentication - Knowledge base

An email with a broken seal representing email modification during transit.

Email security protocols like DKIM (DomainKeys Identified Mail) are foundational for protecting digital communications, especially concerning email modification in transit. Many people assume DKIM outright prevents alterations, but its role is more nuanced.

DKIM primarily acts as a tamper-detection mechanism. It allows the recipient's email server to verify that an email claiming to come from a specific domain was indeed authorized by that domain's owner and that the message content was not altered since it left the initial sending server. Think of it as a digital seal.

While DKIM doesn't actively block or modify emails, its failure indicates a potential issue, such as unauthorized spoofing or accidental message changes. This capability is crucial for maintaining trust and combating phishing attempts.

How DKIM works

DKIM functions using cryptographic signatures. When an email is sent from a DKIM-enabled domain, the sending mail server (MTA) generates a unique digital signature for specific parts of the email, including headers and the body. This signature is then inserted into the email's header.

The digital signature is created using a private key, which only the sending domain's server possesses. A corresponding public key is published in the domain's DNS records, typically as a TXT record. When a receiving server gets an email with a DKIM signature, it retrieves the public key from the sender's DNS records and uses it to decrypt (verify) the signature.

If the decrypted signature matches the computed hash of the email content it received, the DKIM authentication passes, meaning the email's integrity has been preserved. You can learn more about how DKIM signs the email body or just the headers to understand the specifics of what parts of an email are covered by this process.

Example DKIM DNS record

DKIM TXT RecordDNS

selector1._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn8d4vF..."

The selector (e.g., selector1) points to the specific public key used to verify the email's signature.

Detecting alterations vs. preventing them

It is important to distinguish between detecting alteration and preventing it. DKIM does not prevent an email from being modified while in transit. Instead, it provides a cryptographic method for the receiving server to detect if any part of the signed email has been changed since it was digitally signed by the sending domain.

If an unauthorized party (or even an automated system, as we'll discuss) alters the email's content or headers after DKIM signing, the recipient server's verification will fail. This failure signals that the email's integrity has been compromised. The receiving server can then use this information, often in conjunction with DMARC, to decide how to handle the message.

DKIM's role: detection

Cryptographic signature: Attaches a digital seal to the email, created with a private key.
Integrity check: Allows the receiver to verify if the message content was altered.
Sender authentication: Confirms the email originated from the declared domain's authorized sender, enhancing sender identity verification.

Actual prevention

No direct blocking: DKIM itself doesn't stop malicious actors from modifying an email.
Relies on other protocols: Works with DMARC to define actions on failed verification.
Passive security: Provides information for policy enforcement, rather than active prevention.

Common causes of DKIM failures

A hand modifying an email, leading to a DKIM failure.

While DKIM is robust against malicious tampering, it can sometimes fail due to legitimate, unintentional modifications. Common scenarios include email forwarding, where intermediary servers or mailing lists may alter headers or add footers to the message body. These changes can invalidate the original DKIM signature, leading to a failed authentication.

For instance, if an email client or server automatically rewrites a URL or adds tracking pixels, the computed hash by the receiving server will no longer match the original signature, causing the DKIM check to fail. This is why understanding how email forwarding affects SPF, DKIM, and DMARC is crucial for maintaining deliverability.

Example of a DKIM signature header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; t=1678886400; bh=hash_of_body; h=From:Subject:To:Date; b=signature_string

Fixing DKIM body hash mismatch failures, which often occur due to these types of modifications, is an important aspect of email management. You can find detailed solutions for DKIM body hash mismatch failures in our guides.

The role of DMARC in policy enforcement

While DKIM detects email modification, it's DMARC (Domain-based Message Authentication, Reporting & Conformance) that dictates what happens to an email if DKIM (or SPF) authentication fails. DMARC aligns with both SPF and DKIM to ensure that the From header of the email matches the authenticated domain.

By deploying a DMARC policy, domain owners can instruct receiving mail servers on how to handle emails that fail authentication, such as to quarantine them (send to spam), reject them, or simply monitor them without taking action. This provides the enforcement mechanism that DKIM alone doesn't offer.

Optimize your DMARC with Suped

To effectively leverage DKIM's detection capabilities and safely transition your DMARC policy to enforce a more stringent policy like p=quarantine or p=reject, robust DMARC monitoring is essential. Suped offers comprehensive DMARC reporting and monitoring with AI-powered recommendations to help you understand your email authentication status and fix any issues efficiently. Our platform provides real-time alerts and a unified dashboard for DMARC, SPF, DKIM, blocklist, and deliverability insights, ensuring your emails always reach the inbox.

Final thoughts on email integrity

In conclusion, DKIM is a vital email authentication protocol designed to detect if an email has been tampered with during transit and to verify the sender's identity. It doesn't prevent modifications but provides the necessary signals for receiving mail servers to identify compromised messages.

When combined with SPF (Sender Policy Framework) and DMARC, DKIM forms a powerful defense against email fraud and ensures the integrity and authenticity of your email communications. Implementing and monitoring these protocols are key to robust email security and deliverability.