DKIM signing and verification overview

Domain Keys Identified Mail (DKIM) is one of the authentication methods used by mailbox providers to determine a sender's identity. A mailbox provider collects sender data based on the DKIM signature as part of its method for establishing a sender's reputation and trustworthiness.

The authentication of a sender’s identity using DKIM requires participation by both the sender and the mailbox provider. Each email message sent to a subscriber must be signed with a valid DKIM signature and the mailbox provider must verify the DKIM signature on each email to help determine if the DKIM signature is valid.

DKIM signing and verification process

The signing process (initiated by the sender):

  • Sender publishes a DKIM record for the sending domain.
  • Using cryptographic techniques, a sender generates a public key in DNS that can be accessed by a mailbox provider and a private key that is stored. The private key is not shared with anyone, including the mailbox provider.
  • Using the private key, the sending system creates a DKIM signature, and the DKIM signature header containing the DKIM signature is inserted into the email header for each email message.

The verification process (completed by the mailbox provider):

  • The mailbox provider’s server accepts the email and looks for a DKIM signature.
  • The mailbox provider’s server looks up the public key for the domain in DNS and attempts to match the public key against the DKIM signature created using the private key.
  • Once the mailbox provider has completed the verification process, it inserts the result in an Authentication-Results email header within each email message. 
    • For example: Authentication-Results:; spf=pass; dkim=pass

DKIM verification results

  • None: The email message has not been signed with DKIM so there is nothing for the mailbox provider to verify.
  • Pass: The email message has a DKIM signature and passed the mailbox provider’s verification check.
  • Fail: The email message has a DKIM signature but there was an error causing a verification failure. This result could mean that the message was modified during delivery or there was a major configuration error in the DKIM record on the sender’s server such as an unknown key version or unknown key type.
  • Policy: The email message was signed with DKIM but it was not acceptable to the mailbox provider. This could mean the DKIM key length is too short.
  • Neutral: The email message may or may not have a DKIM signature. If there is a DKIM signature, there was likely a syntax error preventing the message from being verified. This can also mean there was an error with no additional information.
  • Temperror: The email message has a DKIM signature but experienced an error that is likely temporary. However, continually receiving this error may mean there is a lookup error retrieving the public key.
  • Permerror: The email message has a DKIM signature but the message cannot be verified due to a permanent error. Additional attempts of verification will not succeed. This may mean a required header field is missing.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request