<dkim> seal the email content

dkim logo

dkim explained

DKIM is the acronim of DomainKeys Identified Mail, an email authentication standard,
designed to guarantee that the email (including the attachments) has not been modified since the “signature” was affixed.

It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.

Two keys are used: a “public” and a “private” key:

  1. the “public” key, is published in the TXT record of the signing domain
  2. the “private” key, is saved whithin the smtp server and used to “sign” the email messages

While sending a message, the smtp server generates an “encrypted hash signature”, based on the email message contents and the private key.

The recipient system can verify the signature in the email header, comparing it with the email content and the sender’s “public” key.


how to make dkim work

DKIM signatures are not immediately visible to end-users, they are added and verified by the email infrastructure.

RealSender smtp servers sign all outgoing email messages with the dkim signature.


how to configure dkim

RealSender initially signs all outgoing messages with its own domain connected to the smtp server,
no setup is needed on the user/administrator side.

To get the “dkim domain alignment for dmarc”,
the message must be signed with the same domain of the sender.

With RealSender, you should add two CNAME records
in the dns settings of your domain (example.com), like these ones:

key1._domainkey.example.com   CNAME   key1._domainkey.yourcompany.realsender.com
key2._domainkey.example.com   CNAME   key2._domainkey.yourcompany.realsender.com

This tool will help you validate the configuration:
toolbox.googleapps.com *

* = external website link, will open in a new page


dkim downsides

A dkim sealed message can’t be modified, but it still can be read by anyone.

A signed message that does not pass the verification, usually gets rejected.
If no changes have been made along the way from sender to recipient, this should not happen.

We’ve experienced rare cases, all related with lines lenght (it must be max 990 characters).
Some applications send the content all in one line or transmit a very long line within the html.
On these occasions the dkim signature gets corrupted, causing the “dkim=fail” check result.


last updated on August 25, 2020


<dkim> check online