What is a DKIM signature?

What is DKIM?

DKIM (DomainKeys Identified Mail) is a standard for authenticating mail by its sending domain. Using asymmetrical cryptography, it enables messages to be signed to guarantee their integrity, from sender to recipient. Like DomainKey, DKIM specifies how to sign messages using asymmetric encryption, publishing public keys via DNS and entrusting the signing process to mail servers. The difference between DomainKey and DKIM lies in the fact that the signatory can be different from the author and sender, the signature field is self-signed and the signature can include a validity period. DomainKey has been abandoned by Yahoo in favor of DKIM, which is becoming a standard.

The DKIM cryptographic signature authenticates the domain name of the sender of an e-mail message. Message signatures guarantee recipient servers that the sender is indeed part of the sending organization, and that the original message is intact (unaltered in transit).

Glossaire DKIM


The 1024-bit DKIM public key for the yahoo.com domain is stored in the TXT field of the “s1024._domainkey.yahoo.com” entry: “k=rsa; t=y; p=MIGADCBiQKBgQD(…)B; n=A 1024 bit key;” This key is used to verify the authenticity of the signature in the e-mail (generated using the private key installed on the sending server). Example of a signature present in an email: “DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Message-ID; b=cuXRK(…)vazo=;”. This ensures that the mail comes from the advertised sending server and that the sending domain is not spoofed.


A correctly signed e-mail from a server using DKIM technology is unlikely to be spam. This gives a positive indication of the type of e-mail received. However, it is not impossible for spammers to use this technology to spread their spam. To complement this standard, mail servers will add DMARC and SPF signatures to messages sent.
– SPF: indicates which servers and domains are authorized to send messages on behalf of an organization.
– DMARC: checks the consistency of other SPF and DKIM indicators. DMARC verifies the correspondence between the sender’s domain and its official mail server. This ensures that there are no attempts at identity theft, phishing or spoofing. This standard makes signing emails from reliable.

How do I use DKIM?

DKIM works with two keys: the public key of the DNS record and the private key of the mail server. When toto@toto.com sends e-mails, its mail server generates a DKIM signature header with the private key.

When the recipient’s mail server receives an e-mail, it checks the DKIM record using the public key of the DNS record for the toto.com domain. If the public key and DKIM signature information match, the e-mail is considered legitimate. If not, it’s considered spam, as there’s a risk that the e-mail may have been modified.

How do I configure DKIM?

DKIM is configured with a TXT entry in the DNS zone consisting of “selecteur._domainkey.domain.tld”. You can generate your DKIM key at https://nstools.fr/tools/dkim_generator . In the case of Altospam, we invite you to go to your administration interface, “MailOut” section, “SPF/DKIM” to copy and paste the relevant information into your DNS zones. Once the information has been updated in your DNS, you can activate the automatic DKIM signature, simply by checking the corresponding box: “Activate DKIM signature”.

Would you like to strengthen your e-mail security?

Security starts in your mailbox. We offer a free 15-day analysis of your mailbox.