DomainKeys And Domain Keys Identified Email (DKIM)
Golagana Gowri Prasad • onIt & Systems 11 years ago • 4 min read

Quite simply DomainKeys is the future of email. We think that it won’t be long until email servers start to disregard all email that is not signed with DomainKeys. The technology allows one email server to verify that an email has actually come from the server that it claims to have come from. This is based on the domain name, not the IP address of the server, so it still works if the sender has multiple servers or uses relay servers. No matter how many times an email has been relayed it can still be verified with DomainKeys. In fact a client email programme such as Outlook could even verify the email with DomainKeys.

The huge advantage to Email server administrators is that they can verify a lot of email and delete forged emails. For example, all mail that claims to be from can be instantly checked. You can check this even if you are not signing your own outgoing emails. This will have a huge impact on blocking Spam as well as stopping fraudulent email claiming to be from places like banks. It also makes sure that email is not tampered with during transmission.

Domain keys works much like a digital signature. The main difference is that each email is signed by the server rather than by an individual user. Although the email could still have a digital signature from an individual user. The server sending the mail signs the email using its private key. The public key for the email is saved into the sites DNS records. This means that any receiving server can check the key just by accessing the domains DNS records using standard DNS technology. DNS has also proved very reliable technology. Normally only a network administrator has access to the DNS records, so the system is very secure. A mail server only needs to query the DNS record of a domain to check if the email should be signed, so unsigned mail can be assumed to be fraudulent.

Major companies such as Yahoo (who invented the system) and Google sign all their outgoing mail with DomainKeys. So you can instantly detect all fraudulent mail claiming to be form these companies and keep them from ever reaching your users inbox.

Checking for signed Email.

If your email server does not understand Domain keys then your email will appear to be an ordinary email message. However you can configure your email to recognise signed emails, and respond accordingly. In most cases you will configure your server to either delete or mark as spam all mail that fails the DomainKeys test. Just imagine, you can instantly and reliable delete a whole lot of spam claiming to be from major email providers.

MDaemon has DomainKeys technology built in. Most other mail servers, free ones included, either have it built in, or have a add on module for DomainKeys. Just install and configure it.

Signing your own email.

The next step is to start signing your own outgoing emails. To do this you will need to add entries to your DNS records, and as such will need permission form you Domain master to do so. You should set the domain entries to be in test mode. Once this is setup, the next step is to get your servers to start signing all outgoing email. When you are confident that your servers are signing everything correctly, you can change your DNS records from test mode to live.

For more information about actually implementing this system you should refer to Yahoo’s guide, or the guide that comes with your email server software.


DomainKeys technology is a robust and well thought out technology that is compatible with all current email software. We think it will be the future of email and help to turn the tide against spam.


Login to add comments on this post.