All email servers try to block emails with a fake sender. Scammers simulate addresses of trusted senders known to the recipient to sneak in, for example, a Trojan virus or to convince the recipient to provide sensitive information ( phishing )..
One of the methods to check the authenticity of the sender is DKIM, a concept with which emails with digital signature are verified. DKIM is the acronym for DomainKeys Identified Mail.
The DKIM that is used today was created in 2004 as a collaborative project of a consortium of companies. DKIM brings together the old concepts of Yahoo's DomainKeys and Cisco's Identified Internet Mail and the acronym DKIM was precisely taken from here: DK = DomainKeys, IM = Identified Internet Mail..
DKIM is based on communication between the receiving and sending servers of the email - the end user is not aware of anything.
In very general terms, the sending mail server adds a digital signature to the mail and the receiving server verifies it. To do this, check the public key assigned to the signature on the email server listed as the sender..
If the public key does not match the signature, it can be due to several causes:
To understand DKIM, it is worth taking a look at the different? Components? that form the concept.
An algorithm transforms the content of the mail into a sequence of characters called a hash value . This value is added to the email header.
The hashing follows the same principle that the number of verification of a payment voucher, in which a value is calculated from the reference number and is added to this as last figure.
If the receiver solves the hash value of the received mail with the same algorithm, it would have to obtain the same sequence of characters as the one that appears in the header of the email. If the hash value does not match, the recipient knows that the email has been modified.
In order for the receiver to be sure that the hash value really comes from the original sender, another measure is required: the digital signature.
The signature method used to verify the sender is asymmetric encryption. This is based on a pair of keys: what is encoded with key A can only be decoded with key B. One of the keys is kept secret (? Private key?) And the other is published (? Public key? ).
You can find detailed information in this general article on encoding procedures.
The sequence would be the following:
In order for the receiving mail servers to consult the sender's public key, this key must be published as a TXT Resource Record in the domain's DNS zone.
The DKIM entry contains the following elements:
As a general rule, the DKIM record can only be consulted from the email header, since, to do so, not only the domain name is required, but also the selector , and this is usually not known or takes a long time to find out .
To create a DKIM record, you must generate an RSA key pair and store it in the correct place on the server. Most email service providers take care of this for you.
In our Help Center we explain how to set up a DKIM registration for your IONOS email account.
You can generate a log by hand to better understand how DKIM works. There are different free tools on the internet, p. For example, EasyDMARC's DKIM Record Generator. Enter any selector at the top (example: k1 ) and any domain on the right side. The generator issues a private key and a public key. The private key ( private key ) must be stored on the email server (this task can only be done by your email service provider), the public key is stored in the DKIM registry.
You can check if the DKIM record is actually publicly accessible using a DKIM checker, e.g. eg with EasyDMARC's DKIM Record Lookup.
The simplest thing is that you send an email to your own address and check the header. There the entry? DKIM Signature? Will appear:
By copying the header into a header analysis tool, you can view detailed information about it.