The encryption-decryption for DKIM looks something like this:
- Signing the Email (Sender Side): When the sender's server is preparing to send an email, it first creates a hash of the email (or certain parts of the email, defined in the DKIM header). This hash is a kind of 'digital fingerprint' of the email's content. The sender's server then 'encrypts' this hash using the server's private key. This creates the DKIM signature, which is attached to the email in the DKIM-Signature header.
- Verifying the Signature (Recipient Side): When the recipient's server receives the email, it sees the DKIM-Signature header and retrieves the public key from the sender's domain DNS records. The recipient's server then 'decrypts' the DKIM signature using this public key. This doesn't produce the original email content (as would be the case with traditional encryption/decryption), but it does produce the original hash that the sender's server created.
In a traditional encryption scenario, you'd use the recipient's public key to encrypt the message, and the recipient would use their own private key to decrypt it. But in the case of DKIM signatures, the sender uses their own private key to 'sign' the message, and anyone can use the corresponding public key to verify that signature.
So in short:f(
Content hash + private key) = DKIM-signature hash f(
DKIM-signature hash + public key) = Content hash
This process ensures the integrity of the email (the content hasn't been tampered with during transit) and also the authenticity (the email actually originated from the claimed domain).
Remember, the purpose of DKIM is not to keep the email content confidential (that would be the role of encryption), but to verify its authenticity and integrity. The recipient generates its own hash of the received email content and compares it with the decrypted original hash. If they match, the email is verified as authentic and unaltered.
Luckily, as a typical email sender, you don't need to understand all of the inner workings of the process in order to make it work for you. You just need to make sure your DKIM record configuration and values are correct.Creating a DKIM Record
Just like for the SPF record
and DMARC record
, the DKIM record is a TXT type record you add to your DNS records.
A typical DKIM record looks like this: