DKIM: DomainKeys Identified Mail
DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers. For example, a spam message may claim in its “From:” header to be from email@example.com, when in fact it is not from that address, and the spammer’s goal is to convince the recipient to accept and to read the email. Because the email is not actually from the example.com domain, the recipient cannot have any effect by complaining to the system administrator for example.com. It also becomes difficult for recipients to establish whether to give good or bad reputations to various domains, and system administrators may have to deal with complaints about spam that appears to have originated from their systems, but didn’t.
DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients. Prominent email service providers implementing DKIM (or its slightly different predecessor, DomainKeys) include Yahoo and Gmail. Any mail from these domains should carry a DKIM signature, and if the recipient knows this, they can discard mail that hasn’t been signed, or that has an invalid signature.
DKIM also guards against tampering with mail, offering almost end-to-end integrity from a signing to a verifying Mail transfer agent (MTA). In most cases the signing MTA acts on behalf of the sender by inserting a DKIM-Signature header, and the verifying MTA on behalf of the receiver, validating the signature by retrieving a sender’s public key through the DNS.
The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM). This merged specification is the basis for an IETF Working Group which has guided the specification towards becoming an IETF Proposed Standard.