DomainKeys Identified Mail, or DKIM, lets an organization take responsibility for a message that is in transit. Got it? Great.

If you don’t understand, no worries, we’ll explain.

To understand DKIM and why it exists, you first have to understand the problem. Emails are more like letters in the mail than most people believe. I write a letter, add your address, my return address, and send it… with postage. Ok, email doesn’t need postage. But it does need content, the letter, a to address, your email address, a return address, my email address, and for me to send it. But what if I want to send a message as I’m someone else. Just like regular mail, I can affix a return address, the from address, to an email that isn’t mine. Even worse, I can add a small line that tells email servers when you reply to send the message to a different email address than what you see! Crazy, right?

The reason these options exist has good intentions. It is so I can send a message as a marketing email ( but still see your reply by adding the reply-to as a working email address. That way you, as the recipient, can see it is a marketing email and can ignore it if you’d like; but also if you reply with interest I will still receive the email.

The problem is obvious. This can be used to impersonate, or “spoof”, someone else’s email address with nefarious intent. We see this a lot with “send me money” or “reply now or be fired” emails. How do we secure our emails to prevent this?

DKIM is the next generation in an organizations ability to prevent this. It uses a series of keys, like keys to a lock, that have to match from the sending server and the NS host for the from domain name. It gets technical after that, but its like using a medieval wax seal on your envelope to show that it was really originally from you, and that an unbroken seal means the message has not been opened, read, or tampered with on its way. Except it’s modern… and more secure… faster… uses less wax. Fire!

As a small disclaimer, DKIM is not bulletproof. The issue is many email servers do not sign their email addresses with DKIM, and DKIM does have limitations. Because the internet is an open community, it is difficult to make everyone play by the same rules… just look at the UN or US Congress and you’ll see what we mean. But it is one more tool in your tool box to ensure users your email is as secure as it can be.


Comments are closed