What is DKIM Authentication?

To understand how DKIM authentication for DMARC affects overall compliance, let’s look closer at its unique characteristics.

DKIM can be evaluated in two ways: authentication and alignment. An email passes DKIM authentication when correctly signed by the d= domain in the DKIM header. Essentially, a DKIM-Signature is added to the header of outbound messages by the sender, and the recipient then compares the included signature to a publicly available DKIM key for decoding. If decoded, the message is authenticated as being from the shown sender.

In the below example, DKIM passes authentication:

Why? The message is signed by the outbound email server for example.com with a DKIM domain (d=) of example.com (highlighted above) and a DKIM selector (s=) of “brisbane” (highlighted above). Once successfully decoded, this email will pass DKIM authentication.

To pass DKIM authentication, the inbound server will take the DKIM domain (d=example.com) and the DKIM selector (s=brisbane), then check for a DKIM DNS record of brisbane._domainkey.example.com to verify if the DKIM signature matches.

To ensure your company’s sent emails are delivered as intended, correctly implementing DKIM authentication is vital. Being an important component of DMARC compliancy, this feature provides customer confidence in your brand and helps avoid malicious attacks aimed to scam the public. With DKIM authentication in place, your business is on the right path to being DMARC compliant.

For more DKIM authentication examples, please see RFC6376 Page 64.