--- title: "Improving Email Security With DKIM | DMARC Report" description: "Improving Email Security With DKIM from DMARC Report explains practical steps for email authentication, domain protection, deliverability, and DMARC." image: "https://dmarcreport.com/og/blog/improving-email-security-with-dkim.png" canonical: "https://dmarcreport.com/blog/improving-email-security-with-dkim/" --- Quick Answer \[Gmail blocks over 100 million phishing emails every day\](https://safety.google/). With the growing cyber menace and the integration of readily available AI-driven tools on the dark web, this number has seen a steep growth. Despite the efforts made by Gmail and other email service providers, some fraudulent emails still bypass email security filters, culminating in the exploitation of personal information, \[BEC attacks\](https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/), \[ransomware attacks\](https://www.ndtv.com/world-news/ransomware-attack-on-us-arm-of-chinas-largest-bank-icbc-fs-disrupts-treasury-market-4564214), \[impersonation attacks\](https://www.upguard.com/blog/impersonation-attack), etc. This is where DKIM stands as a fortifier. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fimproving-email-security-with-dkim%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Improving%20Email%20Security%20With%20DKIM&url=undefined%2Fblog%2Fimproving-email-security-with-dkim%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fimproving-email-security-with-dkim%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fimproving-email-security-with-dkim%2F&title=Improving%20Email%20Security%20With%20DKIM "Share on Reddit") [ ](mailto:?subject=Improving%20Email%20Security%20With%20DKIM&body=Check out this article: undefined%2Fblog%2Fimproving-email-security-with-dkim%2F "Share via Email") ![Improving Email Security With DKIM](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DKIM Lookup Auto-discover DKIM selectors for any domain - scan 185 common selectors across all major providers. [ Discover DKIM Selectors → ](/tools/dkim-lookup/) The three core email authentication standards - SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)), DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)), and DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. > The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost. [Gmail blocks over 100 million phishing emails every day](https://safety.google/). With the growing cyber menace and the integration of readily available AI-driven tools on the dark web, this number has seen a steep growth. Despite the efforts made by Gmail and other email service providers, some fraudulent emails still bypass **email security filters**, culminating in the exploitation of personal information, [BEC attacks](https://dmarcreport.com/blog/business-email-compromise-bec-scams-take-new-dimension-with-multi-stage-attacks/), [ransomware attacks](https://www.ndtv.com/world-news/ransomware-attack-on-us-arm-of-chinas-largest-bank-icbc-fs-disrupts-treasury-market-4564214), [impersonation attacks](https://www.upguard.com/blog/impersonation-attack), etc. This is where DKIM stands as a fortifier. DKIM or DomainKeys Identified Mail is one of the [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) protocols that was developed in 2004 to overcome the shortcomings of the \*\*Simple Mail Transfer Protocol (SMTP) \*\*and Sender Policy Framework (SPF). DKIM is the combination of Cisco’s Identified Internet Mail (IIM) and Yahoo’s DomainKeys. DKIM uses a signing method to help recipients verify the authenticity of messages they receive from your domain. This way, you disable [malicious actors](https://www.cshub.com/attacks/news/iotw-malicious-actors-gain-access-to-github-source-code) from compromising your \*\*email-sending domain to impersonate one of your representatives and victimize someone, tarnishing your brand reputation. ## What is a DKIM Signature? [DKIM](https://dmarcreport.com/what-is-dkim/) affixes a digital signature with every \*\*email dispatched \*\*from your domain to allow the receiving mail server to verify if the sender is actually who they are claiming to be. T\_o perform this verification, the recipient’s server looks up the sending domain’s public key published in the DNS\_. Apart from checking a sender’s authenticity, a [DKIM signature](https://support.cartika.com/portal/en/kb/articles/what-is-dkim-everything-you-need-to-know-about-digital-signatures) also guarantees that nobody altered the message since the signature was affixed. _Generally, an end user can’t see a DKIM signature and is placed by the infrastructure and not the email’s sender or receiver_. ## DKIM Signing A message’s signing organization is either the author (the direct handler) or an independent service provider. Signing modules insert DKIM signatures to **emails’ header fields**, allowing signers to pick the header fields they sign. Also, the From: field should always be signed. ![Dmarc record 5](https://media.mailhop.org/dmarcreport/images/2023/12/dmarc-record-5-1.jpg) ## DKIM Tags Here are the primary \*\*DKIM tags and their usage rules, along with examples- ## v (Version) - Usage Rule: Specifies the DKIM version being used. - Example: v=1 ## a (Algorithm) - Usage Rule: Specifies the signing algorithm. - Example: a=rsa-sha256 ## c (canonicalization) - Usage Rule: Specifies the [canonicalization algorithms](https://knowledge.ondmarc.redsift.com/en/articles/1248211-dkim-canonicalization-explained) for the **header and body**. - Example: c=relaxed/relaxed ## d (Domain) - Usage Rule: Identifies the signing domain. - Example: d=example.com ## i (Identity) - Usage Rule: Identifies the sender’s signing identity. - Example: i=[user@example.com](mailto:user@example.com) ## q (Query) - Usage Rule: Indicates how a signature should be treated if some missing email parts. - Example: q=dns/txt ## s (Selector) - Usage Rule: Specifies the selector subdividing the namespace for the domain. - Example: s=selector1 ## h (headers) - Usage Rule: Lists the header fields included in the signature. - Example: h=from:to:subject:date ## bh (Body Hash) - Usage Rule: Contains the [hash value of the email body](https://support.liveintent.com/hc/en-us/articles/207560146-What-is-an-Email-Hash-). - Example: bh=abcdef123456… ## b (signature) - Usage Rule: Contains the digital signature applied to the headers and body. - Example: b=zyxwvutsrponmlkjihgfedcba… ## DKIM Record A DKIM record is a [DNS record](https://www.techopedia.com/definition/5349/dns-record) that stores the public key used for verifying the \*\*digital signatures added to every outgoing message. Here’s a basic overview of what a DKIM record contains: ## Selector (\_s) A selector is a subdomain’s prefix to the \*\*DKIM key that supports the management of multiple keys for the same domain. ## Domain (\_d) This tag specifies the domain that is signing the email. It is the domain for which the [DKIM record](https://dmarcreport.com/blog/dkim-examples-a-comprehensive-guide-to-email-configuration/) is published. ## Public Key (\_p) It’s the cryptographically secured key used by recipients’ mailboxes or mail servers to verify senders’ legitimacy through digital signature affixed to incoming emails. ## DKIM Record Example selector1.domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE…" Where; - selector1: **the selector** \- domainkey: A standard subdomain prefix used for DKIM records. - example.com: the domain that is signing the outgoing message’s header. - “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQE…”: The DKIM record itself, including the version, key type (in this case, RSA), and the public key. ## Relationship with SPF and DMARC [SPF](https://dmarcreport.com/blog/the-history-and-evolution-of-sender-policy-framework-spf/) stands for Sender Policy Framework, a \*\*seasoned protocol that lets domain owners enlist which mail servers are authorized to send messages on behalf of their domain. This works by creating a TXT-type [SPF record](https://dmarcreport.com/tools/spf-record-generator/) that includes all the mail servers along with syntaxes that give details and instructions to recipients’ mail servers. SPF allows the recipient’s mail server to check whether an incoming email originated from an authorized IP address for the sending domain. It helps prevent [email spoofing](https://www.foxnews.com/tech/beware-this-latest-phishing-attack-disguised-official-email-sent-google). On the other hand, DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is built on SPF and DKIM to operate as a framework for domain owners to specify how to check the \*\*From: field presented to end users. It directs a \*\*receiving mailbox on the handling and reporting of emails [failing DKIM](https://dmarcreport.com/blog/10-reasons-why-dkim-fails/) and/or SPF checks. The relationship between SPF, DKIM, and DMARC is characterized by their complementary nature and triangulation of authentication. This means that if one protocol encounters a failure, the remaining protocols can take care of the \*\*assessment and authentication to shred off the efforts made by threat actors. ## DKIM Key Length Please remember that authentication is not equivalent or synonymous with abuse prevention . Bad actors can compromise [DKIM keys](https://dmarcreport.com/blog/the-emergence-of-dkim-a-cryptography-based-email-authentication-protocol/), so the longer the DKIM key, the better you are immune against **DKIM factoring**. In 2012, a mathematician, [Zach Harris](https://www.wired.com/2012/10/dkim-vulnerability-widespread/), detected and \*\*demonstrated the short DKIM key vulnerability in Google, Paypal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, US Bank, HP, Match.com, and HSBC. As per him, 384-bit keys are extremely easy to compromise in less than 24 hours and 512-bit keys in almost 72 hours. _Hence, it’s recommended to use DKIM signing keys that are longer than 1024 bits, which means 2048 bits or higher is what you should go for_. ![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2023/12/dmarc-analyzer-1244.jpg) ## DKIM Key Rotation Practice Regularly [rotating DKIM keys](https://dmarcreport.com/blog/dkim-key-rotation-best-practices-for-large-organizations-should-know/) mitigates the risk associated with compromised keys. While the frequency of key rotation depends on an organization’s [email infrastructure](https://dmarcreport.com/blog/dmarc-office-365-complete-setup-guide-2026/), the **IT team’s scope, attack surface**, and the availability of resources, it’s strongly recommended to rotate keys at least once a year. This ensures that any [malicious activities using the compromised key](https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/) become obsolete, limiting the potential damage. ## The Last Thoughts By implementing DKIM, SPF, and [DMARC](https://dmarcreport.com/) together, organizations can significantly elevate the security of their **email communications**, mitigate the risk of phishing attacks, and achieve improved visibility into potential authentication issues. We suggest you benefit from \*\*DMARC monitoring and reporting as well to minimize the rate of false positives and efficiently transit policies. [Book a demo to get started](https://dmarcreport.com/book-a-demo/). ## Sources - [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dkim ](/tags/dkim/)[ email security ](/tags/email-security/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Intermediate 8m Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[ Intermediate 4m Getting Rid of Common SPF Errors for Email Security and Delivery Dec 20, 2023 ](/blog/getting-rid-of-common-spf-errors-for-email-security-and-delivery/)[ Intermediate 3m The Emergence of DKIM: A Cryptography-Based Email Authentication Protocol Nov 29, 2023 ](/blog/the-emergence-of-dkim-a-cryptography-based-email-authentication-protocol/)[ Intermediate 3m Understanding DKIM: syntax, tags, and email Jul 19, 2024 ](/blog/understanding-dkim-syntax-tags-and-email/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Improving Email Security With DKIM","description":"Improving Email Security With DKIM from DMARC Report explains practical steps for email authentication, domain protection, deliverability, and DMARC.","url":"https://dmarcreport.com/blog/improving-email-security-with-dkim/","datePublished":"2023-12-08T09:43:20.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-12-08T09:43:20.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/improving-email-security-with-dkim/"},"articleSection":"intermediate","keywords":"dkim, email security","wordCount":1220,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Improving Email Security With DKIM","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Improving Email Security With DKIM","item":"https://dmarcreport.com/blog/improving-email-security-with-dkim/"}]} ```