DKIM : Java Glossary

I have left this tombstone entry for historical interest.

DKIM (Domain Keys Identified Mail) is an email authentication system designed to verify the DNS (Domain Name Service) domain of an email sender and the message integrity. In other words it is a digital signature system to ensure an email purporting to come from some ISP (Internet Service Provider) actually came from them and was not tampered with. It does not verify the actual sender, however. This helps track down ISPs (Internet Service Providers) who harbouring spammers and phishers.

DKIM uses DNS-based self-certified keys. Because the scope of DKIM is limited, it does not need generalized, powerful, expensive, long-term certificates, issued by separate certificate authorities. The sender generates private/public key pair for the domain as if for SSL (Secure Sockets Layer). The sender broadcasts the public key to the Internet at large by registering it as a phony sub DNS name.

DKIM-signed messages don’t require the recipient to implement the signing protocol. Checking incoming mail is optional. It is implemented with an extra line in the header of the message of type DKIM-Signature that is usually ignored.

You might think the spammer could successfully spoof a domain simply by leaving the DKIM-Signature header off. But once the recipient knows that a domain supports DKIM, ever after he rejects all unsigned mail purporting to be from that domain. The spammer has to counterfeit a domain that does not sign with DKIM. That domain then becomes suspect, which encourages them to implement DKIM. If all goes well, everyone will eventually support DKIM, leaving the spammers no reputable domain to spoof.

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number