Definition
DomainKeys Identified Mail (DKIM) authenticates email by signing message headers and body content with a private key at the sending mail server; the corresponding public key is published in DNS. Receivers retrieve the public key and verify the signature; valid signatures pass DKIM. Unlike SPF (which checks sending IP), DKIM survives forwarding because the signature travels with the message. DKIM is one of the three legs of email authentication (SPF, DKIM, DMARC). Configuring DKIM for every legitimate sender service is the most time-consuming part of DMARC hardening - each SaaS platform (Mailchimp, Marketo, etc.) has its own configuration process.
Related terms
- SPF (Sender Policy Framework) - Email authentication standard that lists authorized sending IPs / domains for a given sender domain via DNS TXT records.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) - Email authentication standard that lets domain owners specify how receivers should treat mail that fails SPF or DKIM.
- BEC (Business Email Compromise) - Email fraud where attackers impersonate executives or trusted partners to authorize fraudulent wire transfers or data disclosure.