DKIM vs. DomainKeys Confusion

DKIM–DomainKeys Identified Mail–is an important standard for email sender authentication. It allows a recipient to verify that a message really does come from the sending domain that it claims to have come from. Senders publish a public key for their domain and then cryptographically sign their outgoing email, using the corresponding private key. Recipients can then verify the signature, typically as part of the spam filtering process.

I was recently working with a client who was trying to improve their email delivery rates. They send transactional and opt-in newsletters to their subscriber base. My usual advice is that implementing sender authentication is a useful way of avoiding your email being incorrectly flagged as spam (i.e., a “false positive”). So the client implemented DKIM and SPF (an earlier, de facto standard for sender authentication).

Today, not all email recipients check DKIM signatures, but more and more are doing so. Surprisingly, there are two notable email services that do not yet appear to check DKIM signatures: Gmail and Yahoo. They do, however, check signatures in the older, DomainKeys format–this precursor to DKIM is similar in many respects.

DomainKeys was designed by Yahoo, but the company was also closely involved in the standards-definition process leading up to RFC 4871 (the DKIM Base Specification). It’s curious that these two major services don’t yet check for standardized DKIM signatures.

The advice for now is clear: senders should continue to generate the older, DomainKeys style of signature.

Richi Jennings

One Comment

  1. Posted March 13, 2008 at 11:57 AM | Permalink

    Your last sentence is a bit unclear. I *hope* you meant “senders should continue to generate the older, DomainKeys style of signature in addition to DKIM and SenderID”, at least until major mail receivers stop checking DK.

  2. Posted March 13, 2008 at 12:28 PM | Permalink

    Absolutely so. Shame it had to be this way. Generating both seems unnecessarily messy.

  3. John Robson
    Posted June 16, 2008 at 5:24 PM | Permalink

    [ad hominem comment redacted]

  4. Posted June 20, 2009 at 9:45 AM | Permalink

    Well, its 2009 now and ive got to say it seems like GMail is supporting DKIM 🙂

  5. Nate
    Posted December 5, 2011 at 3:48 PM | Permalink

    DKIM does nothing to verify the sender of an email. It allows you to verify that the signor of the /content/ (not to be confused with the sender) is same as the domain asserted in the DKIM header. It is very easy to pull a DKIM header and its signed content out of a valid email from legitimate domain A and place it in a new email and send it from spam domain B, without “breaking” DKIM.

Post a comment

You must be logged in to post a comment. To comment, first join our community.