DKIM or DomainKeys Identified Mail is a system for validating an email address from its DNS. A digital signature is added to the domains DNS zone file. While sending a mail from the server a DKIM-Signature: field is added to the message's header. The verifier recovers the public key using the DNS, and then verifies that the signature matches the actual message's content.
DKIM uses two operations, signing and verifying. Both of them are done by a module of a mail transfer agent (MTA). Modules insert one or more DKIM-Signature to the header fields. Verifying modules verifies the signature at the receiver end.
Sample DKIM Signature
DKIM-Signature: v=1; a=rsa-sha256; d=techbrace.com; s=brisbane;
c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
Tags used in DKIM signature:
v - Version
a - Algorithm used to generate the signature
b - Signature data
bh - The hash of the canonicalized body part of the message as limited by the "l=" tag
c - Message canonicalization
d - The domain of the signing entity
h - Signed header fields
i - Identity of the user or agent
l - Body length count
q - A colon-separated list of query methods used to retrieve the public key
s - The selector subdividing the namespace for the "d=" (domain) tag
t - Signature Timestamp
x - Signature Expiration
z - Copied header fields
Verifying Your DKIM with the dig command
dig default._domainkey.example.com TXT
By use of DKIM we can prevent email spoofing up to an extent. Major email providers check for DKIM and SPF signatures before delivering messages to its user accounts.