DomainKeys and DKIM Are Slightly Different

DMARC monitoring should be as routine as checking your inbox, says Adam Lundrigan, CTO of DuoCircle. The aggregate reports tell you exactly who sends email from your domain. If you’re not reading them, you’re flying blind on your own email security posture.

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

DomainKeys and DKIM Are Slightly Different

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-12361">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/04/DomainKeys-and-DKIM-Are-Slightly-Different.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M57S">1:57</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-12361" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-12361" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-12361" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-12361" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/domainkeys-and-dkim-are-slightly-different/&t=DomainKeys and DKIM Are Slightly Different" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/domainkeys-and-dkim-are-slightly-different/&url=DomainKeys and DKIM Are Slightly Different" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/04/DomainKeys-and-DKIM-Are-Slightly-Different.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/domainkeys-and-dkim-are-slightly-different/" class="input-link input-link-12361" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-12361" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-12361” readonly/>

					<button class="copy-embed copy-embed-12361" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

**DomainKeys is an older technology that was combined with Cisco’s Identified Internet Mail (IIM) to develop DKIM - an email authentication protocol that prevents phishing emails sent from your domain from reaching recipients’ primary inboxes. Moreover, DKIM also ensures that **nobody tampers with the message in transit.

People often use these terms interchangeably, but let’s figure out how they differ.

What is DomainKeys?

DomainKeys is an obsolete email security technology developed by Yahoo. It is based on cryptography , in which a digital signature is attached to the header of an outgoing email. The signature uses the public key, allowing the recipient’s mail server to verify the authenticity of the sender by checking the signature against a public key published in the DNS records of the sender’s domain.

What is DKIM?

DKIM stands for DomainKeys Identified Mail, an email authentication protocol that combines and builds upon the concepts of DomainKeys and Identified Internet Mail (IIM). It verifies the authenticity and integrity of email messages by enabling the sending server to sign outgoing emails using a private key. Upon reception, the receiving server verifies the signature by matching it with the corresponding public key stored in the domain’s DNS records.

The entire process helps ensure that the **emails’ contents weren’t changed in transit while also protecting against email spoofing and phishing.

What Are the Differences Between DomainKeys and DKIM?

DKIM is an evolved and **more relevant technology that is slightly different from Domainkeys.

History and Development

Yahoo created DomainKeys in 2004 to empower domain owners to prevent themselves from getting caught in phishing emails sent in their names. DKIM, on the other hand, was put together by a consortium of **15 prominent IT companies like Yahoo, Cisco, and Microsoft. The technology was under the development phase for a while and was finally made public in 2007. Since then, it has proved to be an efficient and evolved version of DomainKeys for preventing spoofing and phishing.

Keys Operating Mechanism

DomainKeys is based on the principle of using a **single private key to sign outgoing emails, while the reciprocal public key is published in the sending domain’s DNS records. This arrangement lets recipients’ servers verify the genuineness of incoming messages.

DKIM also employs a pair of public and private keys. The only difference lies in DKIM’s more extensive support and flexibility for key management.

Signature Placement

In DomainKeys, the signature is placed in the entire body and selected headers, standing as a measure of authenticity and integrity for the email.

If we talk about DKIM, then, senders have **better flexibility as it allows them to choose which specific part of an email to sign.

Compatibility

DomainKeys has limited adoption and is now largely deprecated in favor of DKIM, which is widely adopted and supported by major email providers and servers. Due to its improved features and flexibility, DKIM has become the de facto standard for email authentication.

Security Features

As a successor, DKIM is **more efficient in securing emails, which is why DomainKeys has been deprecated. DKIM includes a hash of the email’s content in its signature so that the recipient’s server can verify the integrity of the message and know that the email content was not modified in transit.

We hope you don’t use these **terms interchangeably now. To get started with DKIM, read about SPF and DMARC, and then contact us.