What is a DKIM Signature?A DKIM signature is an encrypted header that is added to emails. This header provides details that enable a recipient mail server to validate an email by looking up the sender’s public DKIM key and verifying the encrypted signature with it. Here is an example of a DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparkpost.com; s=google; h=from:content-transfer-encoding:subject:message-id:date:to:mime-version; bh=ZkwViLQ8B7I9vFIen3+/FXErUlKv33PmCuZAwpemGco=; b=kF31DkXsbP5bMGzOwivNE4fmMKX5W2/Yq0YqXD4Og1fPT6ViqB35uLxL GGhHv2lqXBWwFhODPVPauUXaRYEpMsuisdU5TgYmbwSJYYrFLFj5ZWqZ7 VGgw6/nI1hoPWbzDaL9qh
The tags used are:
- v, version
- a, signing algorithm
- d, domain
- s, selector
- c, canonicalization algorithm(s) for header and body
- q, default query method
- t, signature timestamp
- x, expire time
- h, header fields – list of those that have been signed
- bh, body hash
- b, the signature of headers and body
Signatures are by definition unique from message to message. However, ‘d=’ for the signing domain, ‘b=’ for the actual digital signature, and ‘bh=’ for the hash that can be verified by recalculating using the sender’s public key, are basic elements that will be present in every DKIM signature header.
A sender must decide which components of the email will be included in the DKIM signature before creating one. This usually consists of the message’s body as well as certain default headers. If certain elements in the DKIM signature are modified after they are decided, the DKIM validation will fail. In the encryption process, this DKIM signature indicates which domain was used to sign the email.
The DKIM signature is detected by email receivers such as Gmail and Microsoft. The email receiver will do a DNS query to look for the public key for that domain in order to validate the DKIM signature. To identify where to look for this key, the variables specified in the DKIM signature are used. If the key is discovered, it can be used to decrypt the DKIM signature and restore the hash values to their original state. The new values collected from the received email are then compared to these values. The DKIM is considered valid if the values match. Usually, DKIM signatures are not visible to end-users and are affixed or verified by the infrastructure rather than the message’s authors and recipients.