DomainKeys Identified Mail

DomainKeys is a relatively new authentication system for sending email that provides receiving mail systems with an additional assurance that it is legitimately sent from where it claims. Having authentication like this allows domain based blacklists and whitelists to function more effectively and can make certain types of phishing schemes easier to detect. Another benefit is that spam filtering can be made much more reliable because DKIM (DomainKeys Identified Mail) can prevent spammers from forging the source address of their messages. This system allows mail servers to sign outgoing messages with an SHA-256 signature and work as follows:

Public/Private key infrastructure without an authentication certificate.

The mail server sending mail from the domain creates public and private key pair DNS server Holds txt record with DKIM public key of the mail server. It also computes the SHA-256 Signature of an e-mails header/body data and signs it with private key.

The mail server that receives mail and supports DKIM txt record lookup (example, exchange 2010, postfix with configuration, exim with configuration) receives an e-mail with a DKIM signature: DNS lookup for DKIM txt record, decrypt SHA-256 with provided public key, if the value doesn't match then the message has been *TAMPERED WITH* or is *FORGED*, this is handled based on mail servers configuration.

The end result is that by upgrading your e-mail accounts to have this feature is like sending a certified letter through the post office. Other servers have a valid way to verify who you are.

DomainKeys was designed by Yahoo and is under patent. Yahoo had released the code to the DK library under a dual license DomainKeys Patent License Agreement v1.2/GPL v2.0  which maintains ownership of all code to Yahoo.  This went unmaintained and has now been replaced by a Patent free version called The OpenDKIM Project with licensing under the New BSD License.