DKIM (DomainKeys Identified Mail)

Complete Guide to Email Authentication - Cryptographically Signing Emails to Verify Authenticity

Why DKIM Matters: Proving Email Authenticity

DKIM cryptographically signs outgoing emails to prove they actually came from your domain and haven't been modified in transit. Without DKIM, recipients cannot verify email authenticity, emails may be marked as spam, and you cannot prove emails came from your domain in legal disputes.

For government agencies, DKIM is critical because it works with SPF and DMARC to provide complete email authentication. DKIM provides cryptographic proof that emails are authentic, protecting against phishing and email fraud.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that cryptographically signs outgoing emails using a private key. The public key is published in DNS, allowing recipients to verify the email's authenticity and integrity.

Think of DKIM as a "digital signature" for emails. Just as you might sign a document to prove you wrote it, DKIM cryptographically signs emails to prove they came from your domain and haven't been modified.

When you send an email, your mail server:

  1. Creates a cryptographic hash of the email content and headers
  2. Signs the hash using your private key
  3. Adds the signature to the email headers
  4. Publishes the public key in DNS for recipients to verify

When recipients receive the email, their mail server:

  1. Retrieves the public key from DNS
  2. Recalculates the hash of the email content and headers
  3. Verifies the signature using the public key
  4. Only accepts the email if the signature is valid

How DKIM Works

DKIM uses public-key cryptography to sign emails:

  • Private Key: Kept secret on your mail server, used to sign outgoing emails
  • Public Key: Published in DNS, used by recipients to verify signatures
  • Selector: An identifier that allows multiple DKIM keys for the same domain
  • Signature: Added to email headers, proves authenticity and integrity

The selector allows you to have multiple DKIM keys (e.g., "default", "google", "mail") for different purposes or services, making it easier to manage keys and rotate them.

DKIM Selectors and DNS Records

DKIM uses selectors combined with "_domainkey" subdomains to publish public keys in DNS. The DNS record format is: 

selector._domainkey.yourdomain.gov

For example, if your selector is "default", the DKIM DNS record would be: 

default._domainkey.example.gov

Common DKIM Selectors

Common DKIM selectors include:

  • default: Default selector used by many mail servers
  • google: Used by Google Workspace (Gmail)
  • mail: Used by some mail servers
  • selector1, selector2: Used by Microsoft 365 (Office 365)
  • Custom selectors: Your organization can use any selector name

Important: YesGov's domain checker scans 250+ common selectors to find DKIM records. If your mail server uses a non-standard selector, it may not be detected, so it's important to ensure DKIM is properly configured and testable.

DKIM DNS Record Format

DKIM DNS records are TXT records containing:

  • v=DKIM1: Version identifier (always starts with this)
  • k=: Key type (typically "rsa")
  • p=: Public key (the actual cryptographic key)
  • Optional tags: Such as "h=" (hash algorithms), "t=" (flags), "s=" (services)

Example DKIM record: 

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Why DKIM is Critical for Government Agencies

For government agencies, DKIM is not optional—it's critical for email security. Here's why:

1. Proves Email Authenticity

DKIM provides cryptographic proof that emails actually came from your domain and haven't been modified in transit. This protects against:

  • Email spoofing (emails claiming to be from your domain)
  • Email tampering (modifying email content in transit)
  • Phishing attacks (fraudulent emails appearing to come from your agency)
  • Reputation damage (spoofed emails damaging your agency's reputation)

2. Works with SPF and DMARC

DKIM works with SPF and DMARC to provide complete email authentication:

  • SPF: Authorizes sending servers
  • DKIM: Cryptographically signs emails
  • DMARC: Uses SPF and DKIM results to enforce policies

Without DKIM, you cannot achieve complete email authentication and protection. DKIM provides a layer of protection that SPF alone cannot provide (SPF checks the sending server, DKIM checks the email itself).

3. Improves Email Deliverability

Emails with valid DKIM signatures are more likely to:

  • Reach recipients' inboxes (instead of spam folders)
  • Be trusted by mail servers
  • Pass spam filters
  • Be accepted by strict mail servers

4. Required for CISA Compliance

The Cybersecurity and Infrastructure Security Agency (CISA) mandates SPF, DKIM, and DMARC for all government email domains. Failure to implement DKIM results in non-compliance, which can lead to:

  • Criminal charges for negligence
  • Civil liability from email attacks
  • Federal grant restrictions
  • Insurance claim denials

5. Legal Protection

DKIM signatures provide legal proof that emails came from your domain. This can be critical in:

  • Legal disputes (proving emails are authentic)
  • Insurance claims (proving security measures are in place)
  • Compliance audits (demonstrating email security)
  • Incident response (identifying spoofed vs. authentic emails)

What Can Go Wrong Without DKIM?

The consequences of operating without DKIM are severe:

Cannot Verify Email Authenticity

Without DKIM, recipients cannot verify that emails actually came from your domain. This means:

  • Emails may be marked as spam or rejected
  • Phishing emails can be mistaken for legitimate emails
  • Email authenticity cannot be proven in legal disputes
  • Reputation damage from spoofed emails

Email Delivery Failures

Without DKIM, emails are more likely to be:

  • Rejected by strict mail servers
  • Marked as spam
  • Filtered into spam folders
  • Blocked by security filters

Cannot Achieve Complete Email Security

Without DKIM, you cannot achieve complete email authentication. SPF alone provides some protection, but DKIM adds an essential layer that protects the email itself (not just the sending server).

Liability and Legal Consequences

Without DKIM, you cannot prove that emails are authentic. This exposes your agency to:

  • Civil lawsuits from affected citizens
  • Criminal charges for failure to implement required security measures
  • Insurance claim denials
  • Loss of federal funding

How to Implement DKIM

Implementing DKIM requires generating key pairs, publishing public keys in DNS, and configuring mail servers to sign emails:

Step 1: Generate Key Pair

Generate a public/private key pair for DKIM signing. Most mail servers can generate keys automatically, or you can use tools like OpenSSL to generate keys manually.

Key size: Use at least 1024-bit keys (2048-bit recommended for government agencies). Longer keys provide better security but require more computational resources.

Step 2: Choose Selector

Choose a selector name for your DKIM key. This can be "default", "mail", or any custom name. The selector allows you to have multiple DKIM keys for different purposes or services.

Step 3: Publish Public Key in DNS

Publish the public key as a TXT record at: 

selector._domainkey.yourdomain.gov

The DNS record should contain the DKIM record with "v=DKIM1", key type, and public key.

Step 4: Configure Mail Server

Configure your mail server to:

  • Sign outgoing emails using the private key
  • Add DKIM signatures to email headers
  • Use the correct selector

Step 5: Test DKIM Configuration

Test your DKIM configuration by:

  • Sending a test email
  • Checking email headers for DKIM signatures
  • Verifying signatures using DKIM validation tools
  • Using your domain checker (YesGov's domain checker verifies DKIM status)

Step 6: Monitor and Maintain

DKIM requires ongoing management:

  • Key Rotation: Rotate keys periodically for security
  • Monitoring: Monitor DKIM signing and verification rates
  • Updates: Update configuration when mail servers change

DKIM Signing and Verification Process

Here's the complete DKIM signing and verification process:

Sending Email (Signing Process)

  1. Email Composed: An email is composed on your mail server
  2. Headers Selected: Your mail server selects which headers to sign (typically From, To, Subject, Date)
  3. Body Hashed: The email body is hashed using a cryptographic hash function
  4. Headers Hashed: Selected headers are hashed
  5. Combined Hash: Header and body hashes are combined
  6. Signed: The combined hash is signed using your private key
  7. Signature Added: The DKIM signature is added to email headers
  8. Email Sent: The signed email is sent to recipients

Receiving Email (Verification Process)

  1. Email Received: Recipient's mail server receives the email
  2. Signature Extracted: The DKIM signature is extracted from email headers
  3. Selector Retrieved: The selector is extracted from the signature
  4. Public Key Retrieved: The public key is retrieved from DNS at selector._domainkey.domain
  5. Hash Recalculated: The email body and headers are re-hashed
  6. Signature Verified: The signature is verified using the public key
  7. Result: Email is accepted if signature is valid, rejected or marked suspicious if invalid

Common DKIM Implementation Issues

Several common issues can cause DKIM problems:

1. Missing or Incorrect DNS Records

If DKIM DNS records are missing or incorrect, recipients cannot retrieve public keys to verify signatures.

Solution: Ensure DKIM DNS records are properly published and match the selector used by your mail server.

2. Key Mismatch

If the private key used to sign emails doesn't match the public key in DNS, signatures will fail verification.

Solution: Ensure the private key on your mail server matches the public key in DNS.

3. Wrong Selector

If your mail server uses a selector that doesn't match DNS records, signatures cannot be verified.

Solution: Ensure the selector configured on your mail server matches the DNS record location.

4. Email Modification

If emails are modified after signing (by mail servers, gateways, or filters), signatures will fail verification.

Solution: Ensure emails are not modified between signing and delivery. Some modifications are allowed (certain headers), but body modifications break signatures.

5. Key Expiration or Rotation Issues

During key rotation, if old keys are removed before new keys are fully propagated, signatures may fail.

Solution: Use proper key rotation procedures: publish new keys before removing old keys, and allow time for DNS propagation.

DKIM and DMARC Integration

DKIM works with DMARC to provide complete email authentication. DMARC uses DKIM (and SPF) results to:

  • Determine email handling policy (what to do with emails that fail authentication)
  • Provide reporting on authentication failures
  • Enforce strict policies (reject emails that fail authentication)

Important: DKIM alone is not enough. You need both SPF and DKIM, plus DMARC to enforce policies and provide reporting. DKIM without DMARC provides some protection but doesn't allow you to control what happens to spoofed emails or provide visibility into authentication failures.

How YesGov Ensures DKIM is Properly Configured

YesGov handles all aspects of DKIM implementation and management for government agencies:

  • Complete Setup: We generate key pairs, choose appropriate selectors, and configure mail servers
  • DNS Configuration: We publish DKIM public keys in DNS with proper formatting
  • Server Configuration: We configure mail servers to sign all outgoing emails
  • Testing and Validation: We test DKIM configuration to ensure signatures work correctly
  • Key Management: We handle secure key storage and rotation
  • Ongoing Monitoring: We monitor DKIM signing and verification rates
  • Documentation: All DKIM configuration and status is documented for compliance and insurance purposes
  • Integration: We ensure DKIM works with SPF and DMARC for complete email security

How YesGov Ensures Complete DKIM Protection

At YesGov, we don't just check if DKIM is configured—we perform comprehensive validation of your entire DKIM setup:

  • Key Generation: We generate secure cryptographic keys for email signing
  • DNS Record Configuration: We publish DKIM public keys in DNS with proper formatting
  • Email Signing: We ensure all outgoing emails are properly signed with DKIM
  • Key Rotation: We handle secure key rotation to maintain security
  • Verification Testing: We test DKIM signatures from multiple mail servers
  • Ongoing Monitoring: We continuously monitor DKIM signing and verification status
  • Integration: We ensure DKIM works with SPF and DMARC for complete email security

When you host with YesGov, DKIM is properly configured, continuously monitored, and automatically maintained. We handle key management, email signing, and verification testing so you don't have to worry about email authenticity. This is one of our comprehensive security checks that ensures your agency meets and exceeds federal, state, and industry standards.

Get Protected Today Check Your DKIM

Additional Resources

← SPF (Sender Policy Framework) DMARC (Domain-based Message Authentication, Reporting & Conformance) →

Learning Guides

Compound Risks: When Security Failures Combine

How multiple security failures combine to create worse outcomes. Learn about compound risks in government cybersecurity: email impersonation, DNS hijacking, silent interception, and more.

DNSSEC (Domain Name System Security Extensions)

DNSSEC (DNS Security Extensions): Complete guide to protecting your domain from DNS spoofing, cache poisoning, and man-in-the-middle attacks. Learn how DNSSEC works, why it

SSL/TLS Certificate

SSL/TLS Certificate Guide: Complete guide to encrypting data in transit, protecting against man-in-the-middle attacks, and meeting CISA compliance requirements for government websites.

HTTPS Redirect & HSTS (HTTP Strict Transport Security)

HTTPS Redirect & HSTS: Complete guide to enforcing encrypted connections, preventing downgrade attacks, and meeting CISA requirements for government websites.

TLS Configuration (Versions, Ciphers, Hardening)

TLS Configuration: Complete guide to secure TLS versions, cipher suites, and hardening for government websites.

Certificate Validation & CAA (Certificate Authority Authorization)

Certificate Validation & CAA: Complete guide to SSL/TLS certificate validation, trust chains, and Certificate Authority Authorization (CAA) records.

SPF (Sender Policy Framework)

SPF (Sender Policy Framework): Complete guide to preventing email spoofing, ensuring email deliverability, and meeting CISA compliance requirements for government email security.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail): Complete guide to cryptographically signing emails, verifying email authenticity, and preventing phishing attacks for government email security.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC (Domain-based Message Authentication): Complete guide to enforcing email authentication policies, preventing email spoofing, and meeting CISA compliance requirements.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS (Mail Transfer Agent Strict Transport Security): Complete guide to enforcing secure TLS connections for email transmission, preventing man-in-the-middle attacks.

TLS-RPT (TLS Reporting)

TLS-RPT (TLS Reporting): Complete guide to monitoring TLS connection failures for email transmission, identifying misconfigurations, and ensuring email security.

HTTP Security Headers & security.txt

HTTP Security Headers: Complete guide to X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and security.txt for protecting against web vulnerabilities.

IPv6 Support (DNS + Web Reachability)

IPv6 Support: Complete guide to IPv6 DNS and web reachability, ensuring accessibility for IPv6-only networks and future-proofing government infrastructure.

RPKI (Resource Public Key Infrastructure)

RPKI (Resource Public Key Infrastructure): Complete guide to BGP route security, preventing route hijacking, and protecting IP address space.

IP Reputation, RBLs & PTR Records

IP Reputation & RBL Checks: Complete guide to monitoring IP addresses on abuse databases, blacklists, and proper reverse DNS (PTR) configuration.

Website Scanning

Website Scanning: Complete guide to detecting exposed email addresses, broken links, and other website hygiene issues that pose security or compliance risks.

WordPress Detection

WordPress Detection & Security: Complete guide to detecting WordPress versions, identifying security vulnerabilities, and patching basics for government websites.

HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security): Complete guide to forcing HTTPS connections, preventing downgrade attacks, and meeting CISA compliance requirements.