Support for DomainKeys Identified Mail (DKIM) RFC 4871


DONE Support for DomainKeys Identified Mail (DKIM) RFC 4871

| Last activity: 3 years ago
DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients. Prominent email service providers implementing DKIM (or its slightly different predecessor, DomainKeys) include Yahoo and Gmail. Any mail from these domains should carry a DKIM signature, and if the recipient knows this, they can discard mail that hasn't been signed, or that has an invalid signature. Learn more at


Before voting, I just wanted to add that DKIM support was already considered in the past (as an External Agent), but we decided to postpone this feature, because of the "if the recipient knows this" part. With DKIM (unlike with SPF), you cannot verify if the sender domain signs all its emails with DKIM or not. This has the following consequences: - You have to maintain a list of domains you know to sign emails with DKIM and even in that case, you are probably just guessing if all emails are signed or just some. If not all of them are signed, legitimate emails will be lost. - A spammer can still send forged emails in the name of the DKIM-protected domain and pass the DKIM test with flying colors, just by NOT signing the email (what they could not do anyway, so why bother at all). DKIM has an optional extension called ADSP (formerly known as ASP and SSP), but this extension, as of writing this, is still in draft status and subject to change. We believe that DKIM will become useful for ORF only after ADSP becomes an approved RFC standard.
by Peter Karsai (Vamsoft) more than 10 years ago
DKIM and ADSP are today both listed as 'proposed standards' at, so it now seems to be a good time to implement support for them.
by Geoff more than 10 years ago
the ESP (email service providers) are already using DKIM/DomainKeys and SPF to authenticate their email, so I find it curious that it (DKIM validation) is not yet implemented in ORF. DKIM & SPF checks are going further now with the introduction of DMARC. The initative is backed by: Agari / American Greetings / AOL / Bank of America / Cloudmark / Comcast / Facebook / Fidelity / Google / Linkedin / Microsoft / PayPal / ReturnPath / TDP / Yahoo
by AlwindB more than 10 years ago
DKIM support would be nice, but it has been spotty across the industry for the past few years. Even nicer, and closely related to this, would be TLS support. -ASB:
by andrew.baker 9 years ago
Peter - I know your post is 4 years old and you may already know, but a DKIM signer actually can indicate if all ("o=-") or some ("o=~") of their mail is DKIM-signed. If your domain is, then the txt record at would indicate your preference. I just started DKIM signing our outbound mail, and also implemented DMARC. I think a DKIM + DMARC implementation for ORF would we great.
by michael.sparks 9 years ago
Use DKIM for whitlising SPF-check. Not more.
by DenM 4 years ago
I know I'm really late to the conversation. But a comment on this item seems to indicate that you would have to maintain a list of domains that use DKIM or not I don't see how that would be problem. It would just be used for whitelisting and not for blocking, as a positive id, it would only block an email that has DKIM if the dns public key existed for that domain and it didn't validate. If DKIM came in the email but the selector didn't exist on the DNS then it could still pass the test, I suppose you could have an option to be more restrictive. Perhaps my understanding is flawed. This has been around for 10 years now and it seems it is time to get it implemented along with DMARC.
by matt.nielsen 4 years ago
DKIM is now fully used by Google and Micrsoft. DMARC is also in widespread use. Clients are now seriously looking at Microsoft for all their services including email. So we need to be able to compete.
by stephen.challen 3 years ago

My Comment

Please sign in or sign up to comment.
hnp1 | hnp2