On this page
DomainKeys Identified Mail (DKIM) is, in short, a way of creating a digital signature in an email. Manipulating the origin is a common technique used when phishing or sending spam to make the email look trustworthy to the recipient. The public key of the DKIM signature is published in a DNS record for the domain. This makes it possible for the recipient to know that it was the owner of the sending domain that also signed the email.
End-users will normally not see if an email has a DKIM signature. This is handled in the background by the email service. If the signature is not valid/exist the email will be rejected, put into a spam folder or marked as a potential fraud.
Use in the Curity Identity Server
The Curity Identity Server supports the use of DKIM and can sign outgoing emails.
Enabling DKIM is done per
Email Provider and can only be configured when the type is
After enablement, DKIM is configured by setting which
signing key should be used. The
selector is the identifier for the public key for that domain. DKIM allows multiple signing keys for the same domain.
Setting up the DNS record
The public key and metadata are stored in a
TXT DNS record. These records allow for free text, making them suitable for DKIM as well as other standards to prove domain ownership or just to provide additional data that should be associated with the domain.
The name of the record would be
[domain]. The result would be something like
The content of the record must contain at least the public key, but other options exist as well.
v=DKIM1; k=rsa; p=MIIBIjANBgkqhk...AB
version (v) is
key type (k) is
rsa and the
public key (p) starts with
DKIM is supported by the Curity Identity Server and makes sure of the integrity of the email. DKIM is often combined with other techniques like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) for additional email security. These measures are often required to let emails through spam filters.
DKIM allows for various options on what to sign. Refer to the product documentation for information about which parts are signed in the Curity Identity Server.