Skip to main content
Skip to article content

DKIM Explained: How Email Signatures Protect Your Inbox From Forgery

By Ṣọ Email Security5 min read estimated reading time

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication standard that attaches a digital signature to outgoing email, allowing receiving servers to verify that a message was sent by the domain it claims to be from and was not altered in transit.

DKIMemail authenticationemail securityphishing preventionBEC fraudSPFDMARCcybersecurityemail spoofingdomain forgery

DKIM Explained: How Email Signatures Protect Your Inbox From Forgery

What Is DKIM in One Sentence?

DKIM (DomainKeys Identified Mail) is a cryptographic email authentication standard that attaches a digital signature to every outgoing message, allowing receiving mail servers to verify the email was genuinely sent by the domain it claims to be from and was not modified in transit — making it significantly harder for attackers to forge or tamper with email.

What Does DKIM Mean and How Does It Work?

DKIM stands for DomainKeys Identified Mail. It was developed to close a fundamental gap in email infrastructure: the Simple Mail Transfer Protocol (SMTP), which underlies all email delivery, performs no identity verification on the sender. Any server can send a message claiming to originate from any domain.

DKIM solves this by applying asymmetric cryptography to email. The sending organization generates a public/private key pair. The private key is stored securely on the outgoing mail server and is used to sign every message before it leaves. The corresponding public key is published in the domain's DNS records.

When a receiving mail server gets the message, it fetches the public key from DNS and uses it to verify the DKIM signature embedded in the email header. If the signature is valid, the message is confirmed as authentic and unaltered. If the signature is absent or fails verification, the receiving server knows something is wrong.

DKIM is one of three foundational email authentication protocols, alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance). NIST Special Publication 800-177 Rev. 1 identifies all three as baseline controls for trustworthy email infrastructure.

Why Does DKIM Matter? What Are the Real-World Consequences of Skipping It?

Without DKIM, email from your domain can be forged with no technical barrier. Attackers do not need to breach your systems. They only need your domain name.

The financial consequences are documented and severe:

  • The FBI's Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) caused more than $2.9 billion in losses in 2023, making it the single most costly cybercrime category tracked by the FBI for the second consecutive year.
  • CISA estimates that over 90 percent of successful cyberattacks begin with a phishing email, the majority of which depend on spoofed or forged sender identities.
  • Research published by Valimail in 2023 found that more than 80 percent of global email volume is unauthenticated, meaning it carries no DKIM, SPF, or DMARC verification.
  • The IRS has issued formal warnings to tax professionals noting that W-2 phishing campaigns specifically target organizations with no DKIM records, impersonating payroll software vendors to harvest employee tax data (IRS IR-2022-183).

DKIM matters because it creates a verifiable chain of custody for your outbound email. It does not just tell the receiving server who claims to have sent the message. It tells the server who cryptographically authorized it.

Trust Aside: Ṣọ Email Security verifies DKIM, SPF, and DMARC signatures locally on your device. No email content is transmitted to a remote server for analysis. Every authentication check runs entirely within your browser extension or mobile app, with your data remaining on your device at all times.

How Does a DKIM-Based Email Attack Actually Work?

When DKIM is absent or misconfigured, attackers exploit the authentication gap using these documented steps:

Step 1: Reconnaissance. The attacker identifies a high-value target within an organization, typically someone in finance, HR, or an executive role, and researches the email domain.

Step 2: Domain spoofing or lookalike registration. If the target domain has no DMARC enforcement, the attacker can spoof it directly using any SMTP tool. Alternatively, they register a lookalike domain such as payro11.com instead of payroll.com.

Step 3: Forged email delivery. The attacker crafts an email with a spoofed "From" header. Without DKIM signing on the legitimate domain and without DMARC enforcement, many mail servers will accept and deliver the forged message without flagging it.

Step 4: Message tampering in transit. In a man-in-the-middle scenario, an attacker intercepts a legitimate email in transit and modifies its content, for example changing the bank account number in a vendor payment instruction. Without a valid DKIM signature to verify integrity, the recipient has no technical means to detect the alteration.

Step 5: Fraud or credential theft. The forged or altered message instructs the recipient to click a malicious link, submit credentials, approve a wire transfer, or provide sensitive data. Because the email appears to come from a trusted source, compliance rates are high.

What Is a Real-World Example of a DKIM Failure Enabling Fraud?

In 2020, the U.S. Department of Justice charged individuals in connection with a Business Email Compromise scheme that defrauded a municipal government of more than $500,000 through spoofed vendor payment redirect emails. Post-incident analysis revealed the targeted organization had no DMARC policy and no DKIM records on the impersonated vendor domain, meaning forged emails passed through mail filters without triggering any authentication failure.

This case is consistent with findings across the FBI's annual Internet Crime Reports. The FBI's 2023 IC3 report identifies the absence of email authentication controls as a systemic enabler of BEC fraud. The IRS separately documents that W-2 and payroll-redirect phishing campaigns targeting accounting firms and HR departments operate almost exclusively through domains that lack DKIM signing.

How Do You Check Whether an Email Has a Valid DKIM Signature?

Use this checklist when evaluating any suspicious email:

  • Open full email headers (Gmail: three-dot menu → "Show original"; Outlook: File → Properties → Internet Headers)
  • Search for the DKIM-Signature: header field
  • Confirm the d= tag matches the domain shown in the "From" address
  • Look for Authentication-Results: header showing dkim=pass
  • Verify the bh= (body hash) field is present, confirming the message body was not altered after signing
  • Run the sending domain through MXToolbox or Google Admin Toolbox to confirm a valid DKIM public key exists in DNS
  • If the result shows dkim=fail, dkim=none, or dkim=permerror, treat the message with high suspicion — especially if it requests payment, credentials, or personal data

What Steps Should Organizations Take to Implement DKIM Correctly?

1. Generate a 2048-bit RSA key pair. Use your email platform's admin console (Google Workspace, Microsoft 365, or your mail server's configuration) to generate a key pair. NIST SP 800-177 specifies 2048-bit RSA as the minimum acceptable key length for DKIM.

2. Publish your public key in DNS. Add a DNS TXT record at selector._domainkey.yourdomain.com, where "selector" is a label of your choosing used to identify the key version in rotation.

3. Enable DKIM signing on all outbound mail streams. Configure your mail server or email delivery platform to automatically sign every outgoing message using the private key. Verify signing is active across all sending sources, including marketing platforms and CRM tools.

4. Pair DKIM with SPF and a DMARC enforcement policy. DKIM alone does not prevent all spoofing scenarios. CISA recommends implementing DMARC at a minimum policy of p=quarantine to instruct receiving servers on how to handle messages that fail authentication. This recommendation applies to all organizations, not only federal agencies.

5. Rotate DKIM keys at least annually. NIST SP 800-177 recommends regular key rotation to limit exposure in the event a private key is compromised. Key rotation does not interrupt email delivery when handled correctly through DNS TTL management.

6. Monitor DMARC aggregate reports. Activate DMARC aggregate reporting using the rua= tag. These reports give continuous visibility into which sending sources are signing correctly, which are failing, and whether any unauthorized sources are attempting to send mail on behalf of your domain.

The Bottom Line on DKIM

DKIM is not an advanced configuration. It is a foundational email security control. Every domain that sends email, regardless of size or sector, should have DKIM configured, enforced through a DMARC policy, and monitored through aggregate reporting.

A forged email with no DKIM signature is indistinguishable from a legitimate one to the untrained eye. DKIM makes the difference technically verifiable. Combined with SPF, DMARC, and AI-powered real-time analysis, it is the starting point for an email environment where trust is earned cryptographically, not assumed by appearance.

AI-powered protection, zero data collection. That's the Ṣọ promise.

Sources

  • FBI Internet Crime Complaint Center (IC3): 2023 Internet Crime Report
  • NIST Special Publication 800-177 Rev. 1: Trustworthy Email (2019)
  • CISA: Email Authentication Best Practices
  • IRS News Release IR-2022-183: W-2 Phishing Warnings for Tax Professionals
  • RFC 6376: DomainKeys Identified Mail (DKIM) Signatures — IETF (2011)
  • Valimail Email Fraud Landscape Report, 2023