DKIM – How it Works
Sending Servers
There are two steps to signing an email with DKIM:
- The domain owner generates a public/private key pair to be used for signing outgoing messages (multiple key pairs are allowed).The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.
- When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal
Receiving Servers
- The DKIM-enabled receiving email server extracts the signature and claimed From: domain from the email headers.
- The public key is retrieved from the DNS system for the claimed From: domain.
- The public key is used by the receiving mail system to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the permission of, the claimed domain and that the message headers and content have not been altered during transit.
- The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.
In order for DKIM to work the sender mail server should sign the outgoing email in addition to the availability of a public DNS record specifying DKIM value.