Site Map

Tuesday, May 15, 2012

What is a DomainKeys Identified Mail (DKIM) Signature? Why it is required for your mailing server infrastructure?

DKIM (DomainKeys Identified Mail) is a possibility to make an email sender more easily identifiable for the email service providers (ESPs) who receive and filter email. The message is identified by the domain it is sent from, that is, the part of the address after the @.

If the delivery address differs from that that has been registered with the DNS server (Domain Name Server), there is an increased likelihood that the email will be classified as Spam by the email service provider.

DKIM signatures are created, in consultation with you, when your Kenscio mailing system is first set up. The DKIM signatures may differ from the actual domains of your Kenscio mailing system.


The domain of your Kenscio mailing system is:

You send email messages using the domains:

The sender domains and must be registered with the DNS server. The registered domains should be the domains used for sendout.

This means that, if possible, all domains that will be used for email sendout should receive DKIM signatures.

The part of the address before the @ can be freely set (eg., This part of the address is not a part of the DKIM signature.

If you would like to add a DKIM signature to more sendout domains, or if you need information about which of your domains already have the DKIM signature, please contact your Kenscio representative.

The sendout process with a DKIM signature (simplified):

The sender (that is, the domains) are registered with the DNS server. A special encrypted signature is created that makes these domains clearly identifiable.

During email sendout, the signature and sender information are embedded in the email header.

When an email provider receives an email that contains a DKIM signature, it obtains the key to decipher the signature from the DNS server.

If the sender is correctly identified by the DKIM signature, this increases the chances of delivery in the inbox.

If the DKIM signature does not match the sender identity, the email is probably marked as Spam.


The primary advantage for e-mail recipients is it allows the signing domain to reliably identify a stream of legitimate email, thereby allowing domain-based blacklists and whitelists to be more effective. This is also likely to make some kinds of phishing attacks easier to detect.
Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.

DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. The best way to determine the set of domains that merit this degree of scrutiny remains an open question; DKIM will likely have an optional feature called ADSP that lets authors that sign all their mail self-identify, but the effectiveness of this approach remains to be tested.

Working with eBay and PayPal, Google has effectively utilized DKIM in GMail in such a way that any e-mail that claims to be coming from or will not be accepted at all if they cannot be verified successfully with DKIM. Such messages won’t even appear in the Spam folder.
Feedback Loops (FBLs)

Most of the Internet Service Providers (ISPs) like gmail, yahoo, hotmail and etc. now demand the Email Service Providers (ESPs) to set up DKIM for the sending mailing infrastructure in order that they receive a copy of a message that one of their subscribers has reported as spam — usually by hitting a “report spam” button in that ISP’s mail interface. Feedback Loop recipients are generally expected to remove any subscriber from their mailing lists to prevent similar “spam complaints” — but the core requirement is simply that they fix whichever problems within their network caused the complaints.

No comments:

Post a Comment