DomainKeys Identified Mail, or DKIM, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.  It is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient.

Specifically, it uses an approach called “public key cryptography” to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam. It supplements SMTP, the basic protocol used to send email, because it does not itself include any authentication mechanisms.

How does it work?

It works by adding a digital signature 到 headers of an email message. That signature can be validated against a public cryptographic key in the organization’s Domain Name System (DNS) records. In general terms, the process works like this:

域名所有者在域名的整个 DNS 记录中以特殊格式的 TXT 记录发布加密公钥。

When a mail message is sent by an outbound mail server, the server generates and attaches a unique DKIM signature header 到 message. This header includes two cryptographic hashes, one of specified headers, and one of the message body (or part of it). ǞǞǞ header contains information about how the signature was generated.

当入站邮件服务器收到传入的电子邮件时，它会在 DNS 中查找发件人的公开 DKIM 密钥。入站服务器使用此密钥对签名进行解密，并将其与新计算的版本进行比较。如果两个值相匹配，就可以证明邮件是真实的，在传输过程中未被篡改。

What is a DKIM signature?

A DKIM signature is a header added to email messages. ǞǞǞ header contains values that allow a receiving mail server to validate the email message by looking up a sender’s DKIM key and using it to verify the encrypted signature. It looks something like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sparkpost.com; s=google; h=from:content-transfer-encoding:subject:message-id:date:to：mime-version; bh=ZkwViLQ8B7I9vFIen3+/FXErUuKv33PmCuZAwpemGco=; b=kF31DkXsbP5bMGzOwivNE4fmMKX5W2/Yq0YqXD4Og1fPT6ViqB35uLxLGGhHv2lqXBWwFhODPVPauUXxRYEpMsuisdU5TgYmbwSJYYrFLFj5ZWTZ7VGgg6/nI1hoPWbzDaL9qh

DKIM 签名标头包含大量信息，因为它是用于自动处理的。正如你在本例中看到的，标头包含一个标签=值部分的列表。值得注意的标记包括："d="表示签名域，"b="表示实际数字签名，"bh="表示可通过使用发件人的公开密钥重新计算来验证的哈希值。

根据定义，不同信息的签名是独一无二的，但这些基本要素将出现在每个 DKIM 签名头中。

How is it related to SPF, DMARC, or other standards?

DKIM、SPF 和 DMARC 都是支持电子邮件身份验证不同方面的标准。它们解决的问题互为补充。

• SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.

• DKIM 提供了加密密钥和数字签名，可验证电子邮件未被伪造或篡改。

• DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.

我需要 DKIM 吗？

If you are a business sending commercial or transactional email, you definitely need to implement one or more forms of email authentication to verify that an email is actually from you or your business. Properly configuring email authentication standards is one of the most important steps you can take to improve your deliverability. However, by itself it only goes so far; SparkPost and other email experts recommend also implementing SPF and DMARC to define a more complete email authentication policy.