DomainKeys Identified Mail (DKIM) is an email authentication method that allows the receiver to verify that an email was sent by an authorized mail server for a domain and that its content has not been altered during transit. DKIM achieves this by using digital signatures.
Here's how DKIM works in the context of digitally signing an email:
- Signing the Email:
When an email is sent from a domain that uses DKIM, the sending mail server generates a unique cryptographic signature based on selected parts of the email (typically the header and parts of the body).
This signature is created using a private key. The signature is then added to the email's header as a DKIM-Signature field. - Public Key in DNS:
The domain owner publishes the corresponding public key in the Domain Name System (DNS) as a TXT record.
The public key is associated with a specific selector, which is included in the DKIM-Signature header to indicate which key to use. - Verifying the Signature:
When the receiving mail server gets the email, it uses the selector in the DKIM-Signature to look up the public key in the DNS.
The public key is then used to verify the cryptographic signature.
If the signature matches the email content, it confirms that the email has not been altered since it was signed by the sending server.