DKIM
DomainKeys Identified Mail. RFC 6376 lets a sending domain sign its emails to prove authenticity.
Definition
DKIM (DomainKeys Identified Mail) is an IETF mechanism that adds a cryptographic signature to an email header so that any recipient can verify the message comes from the claimed domain and has not been altered in transit. The public key is published in a TXT DNS record under selector._domainkey.example.com.
Origin
DKIM emerged from the merger of DomainKeys (Yahoo, 2004) and Identified Internet Mail (Cisco, 2004), standardised in RFC 4871 (2007) and revised in RFC 6376 (2011). It is today a pillar of email authentication policies alongside SPF and DMARC. In the AS1 context, DKIM provides a complementary authentication layer on top of payload S/MIME.
Example in context
DKIM-Signature: v=1; a=rsa-sha256; d=ediverse.io; s=2026-q2;
h=from:to:subject:date; bh=HASH; b=SIGNATURE
This header, added by the outbound MTA, certifies that ediverse.io signed the body and listed headers with the public key published at 2026-q2._domainkey.ediverse.io. Any receiving MTA can verify the signature by querying DNS, with no prior key-sharing.
Related terms
- AS1 — the EDI-over-SMTP protocol that can benefit from DKIM.
- S/MIME — MIME signature, complementary to DKIM.
- Non-repudiation — property reinforced by DKIM.