Domain Keys Identified Mail and DomainKeys: Third in 3-Part Series on E-Mail Authentication

E-mail authentication's importance has been discussed often in the media, at industry trade shows and in blogs. However, before you begin an e-mail authentication program, you are going to need to separate fact from fiction. In this three-part series, Knowledge Center contributor Ellen Siegel explains what e-mail authentication is, why e-mail authentication is important, how e-mail authentication works and what exactly you need to do to authenticate your e-mail.

Editor's Note: In Part 1 of her three-part series on e-mail authentication, Knowledge Center contributor Ellen Siegel shared a comprehensive, high-level overview of e-mail authentication. In Part 2, Ellen delved into the functionality and implementation details of Sender Policy Framework (SPF) and Sender ID authentication. Here, in Part 3, Ellen delves into the functionality and technical details of Domain Keys Identified Mail (DKIM).


Domain Keys Identified Mail (DKIM) is the standards track protocol for cryptographic e-mail authentication and is imperative for new implementations. It supersedes DomainKeys, so this article will focus there. The only reason to implement DomainKeys for outbound mail is if you're sending mail to one of the few domains that still validate Domain Keys and have not upgraded to DKIM (currently Yahoo is the main receiver in this category).

Unlike Sender ID and Sender Policy Framework (SPF), implementing DKIM and DomainKeys does require changes to sender mail processing. The good news is that very few people actually do their own implementation. The more common approach is to either outsource your e-mail, or to identify an open-source or commercial implementation that is compatible with the mail server you use and integrate it into your deployment.

Basis steps for setting up DKIM or DomainKeys

The basic steps for setting up DKIM or DomainKeys for outbound mail are:

Step No. 1: Identify and install the signing module on each mail server that will be signing outbound mail for your domain(s)

Step No. 2: Generate one or more public/private key pair(s) to enable the signing

Step No. 3: Construct and publish each public key record(s) in the relevant Domain Name Service (DNS) entry

Step No. 4: Install the appropriate private key on each signing mail server

Step No. 5: Test your deployment

The list of products and services that support DKIM is maintained on the Web site. The Web site also provides a DKIM FAQ and a list of consulting services. Many of the DKIM implementations also support DomainKeys or you can also check out the SourceForge Project page. Many implementations allow independent installation of outbound (sending) and inbound (validating) components, so make sure you choose the configuration that is right for your deployment.

Different packages provide different interfaces, so once you've set up and configured your new packages, you'll need to follow their specific instructions for the steps enumerated earlier. Some will provide support for all of the steps. Others may require you to perform specific steps such as publishing public keys via external processes.