DKIM or DomainKeys Identified Mail is a system for validating an email address from its DNS. A digital signature is added to the domains DNS zone file. While sending a mail from the server a DKIM-Signature: field is added to the message's header. The verifier recovers the public key using the DNS, and then verifies that the signature matches the actual message's content.

DKIM uses two operations, signing and verifying. Both of them are done by a module of a mail transfer agent (MTA). Modules insert one or more DKIM-Signature to the header fields. Verifying modules verifies the signature at the receiver end.

Sample DKIM Signature

DKIM-Signature: v=1; a=rsa-sha256; d=techbrace.com; s=brisbane;

c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;

h=from:to:subject:date:keywords:keywords;

bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;

b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ

VoG4ZHRNiYzR

Tags used in DKIM signature:

v - Version

a - Algorithm used to generate the signature

b - Signature data

bh - The hash of the canonicalized body part of the message as limited by the "l=" tag

c - Message canonicalization

d - The domain of the signing entity

h - Signed header fields

i - Identity of the user or agent

l - Body length count

q - A colon-separated list of query methods used to retrieve the public key

s - The selector subdividing the namespace for the "d=" (domain) tag

t - Signature Timestamp

x - Signature Expiration

z - Copied header fields

Verifying Your DKIM with the dig command

dig default._domainkey.example.com TXT

By use of DKIM we can prevent email spoofing up to an extent. Major email providers check for DKIM and SPF signatures before delivering messages to its user accounts.