What is DomainKeys Identified Mail (DKIM)?

DomainKeys Identified Mail (DKIM) is a method of email authentication that enables a sending domain to cryptographically sign outgoing messages, allowing the sending domain to assert responsibility for a message.

DKIM has the primary purpose: to guarantee the integrity of the email content. Integrity means that the recipient can detect if the email has been modified or tampered with along the path. This is done through an electronic signature: if the signature is valid, you know that you can rely on the content of the email. If the signature is invalid, then the message has probably been tampered with.

This signature is automatically added and checked by mail servers, and the user doesn’t need to do anything.

Setting up DKIM requires a little more effort than SPF but it is safe: if you misconfigure it, an email will not get lost.

Why is DKIM Important

The primary advantage of this system for e-mail recipients is in allowing the signing domain to reliably identify a stream of legitimate emails, thereby allowing domain-based blacklists and whitelists to be more effective. This is also likely to make certain kinds of phishing attacks easier to detect.

There are some incentives for mail senders to sign outgoing e-mails:

  • It allows a great reduction in abuse desk work for DKIM-enabled domains if e-mail receivers use the DKIM system to identify forged e-mail messages claiming to be from that domain.
  • The domain owner can then focus its abuse team energies on its users who are making inappropriate use of that domain.

Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third-party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.


DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. The best way to determine the set of domains that merit this degree of scrutiny remains an open question. DKIM used to have an optional feature called ADSP that lets authors that sign all their mail self-identify, but it was demoted to historic status in November 2013. Instead, DMARC can be used for the same purpose and allows domains to self-publish which techniques (including SPF and DKIM) they employ, which makes it easier for the receiver to make an informed decision whether a certain mail is a spam or not. 


Because it is implemented using DNS records and an added RFC 5322 header field, DKIM is compatible with the existing e-mail infrastructure. In particular, it is transparent to existing e-mail systems that lack DKIM support.

This design approach also is compatible with other, related services, such as the S/MIME and OpenPGP content-protection standards. DKIM is compatible with the DNSSEC standard and with SPF.

Computation overhead

DKIM requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not otherwise required for e-mail delivery. This additional computational overhead is a hallmark of digital postmarks, making sending bulk spam more (computationally) expensive. 

How Libraesva can help

DKIM is a standard used to digitally sign every outgoing email. If you use Libraesva ESG for the outgoing email traffic, libraesva ESG can sign outgoing traffic at the gateway by enabling DKIM.

Once enabled, just configure the DNS with the DNS record provided by ESG.