DomainKeys / DKIM

How to get here

Domain Signing Options (Selectors)

DomainKeys/DKIM Verification Settings

Add Selector Wizard

DomainKeys and DomainKeys Identified Mail (DKIM) are e-mail authentication methodologies designed to verify digitally signed e-mail on a per-domain basis. Both methods were designed for protection of e-mail identity and have assisted in the control of "spam" and "phishing". DomainKeys and DKIM use asymmetric key cryptography to sign messages with a private key and use DNS to distribute the public key for signature verification.

DomainKeys (RFC4870) is a precursor to DKIM (RFC4871), though both are currently in use, DomainKeys is considered deprecated by DKIM.

See the following PDF for help in Getting Started with DomainKeys / DKIM.

DomainKeys

DomainKeys is a domain-level e-mail authentication standard that uses public/private key encryption and DNS to prove the legitimacy and contents of an e-mail message, and also verifies that the domain used in the "from" or "sender" header of a message has not been modified while in transit.

Public Key / Private Key

A public key/private key-pair is created for the sending domain. The private key is stored securely on the mail server and is used to sign all outgoing messages. The public key is stored and published in DNS as a TXT record of the domain.

When an e-mail is sent, the mail server will use the private key to digitally sign it, which is part of the message header. When the e-mail message is received, the DomainKeys signature can be verified against the public key on the domain's DNS.

For detail specifications on DomainKeys see RFC4870.

DKIM

DKIM is very similar in functionality to DomainKeys, with an enhanced standard that provides more flexibility and security. Although DKIM does not filter or identify spam, widespread use of DKIM can prevent spammers from forging the source address of their messages. If spammers are forced to show a correct source domain, then the other spam filtering techniques will work more effectively.

Some of the improvements provided by DKIM are as follows:

• Multiple hashing algorithms (as opposed to just one available with DomainKeys).
• Capability for one DNS text record to handle multiple domains.
• Improved option for canonicalization that validates header and body separately.
• Capability to delegate signing to third parties.
• Capability to self-sign additional headers.
• More advanced options for customization using DKIM. (e.g. Hash Algorithms, Body Settings, Expiration)

For detail specifications on DKIM see RFC4871.

Related Topics

System Signing Options (Selectors)