When the email leaves the mail server infrastructure a digital signature is added to the email as a header, which is done using a private key that is hosted on the infrastructure. The DKIM-Signature header also contains additional information like the header and the signing domain. The receiving mail server inspects this signature and uses the selector and the domain to retrieve the public key that is hosted on the DNS servers. The public key is then used to verify the signature.
For DKIM alignment to occur, the “d=” (domain) value in the DKIM signature header must align with the domain specified in the “From:” header. Everlytic customers need to ensure that DKIM aligns.
Example when inspecting an email header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=everlytickey1; d=eversrv.com; h=Reply-To:List-Unsubscribe:From:To:Subject:MIME-Version:Date:Message-Id: Content-Type; bh=gbk5LZZp3PJ8Ga8i44p5hHLn+q4jatWyiBAiPfs7oOc=; b=js9BF….
Components of the DKIM-Signature
v=1: Version of the DKIM specification.
a=rsa-sha256: Algorithm used for the digital signature.
s=everlytickey1: Selector specifying the specific key pair used.
d=eversrv.com: Domain of the signing entity.
h=from:to:subject: Headers included in the hash.
bh=gbk5LZZp3PJ8Ga8i44: Body hash of the email content.
b=js9BF….: The actual digital signature.
- DKIM passing means that the DKIM signature verification has succeeded. The cryptographic signature attached to the email has been validated, and the message hasn’t been altered since the signature was applied.
- A DKIM signature can pass even if the signing domain (specified in the “d=” tag of the DKIM signature) is different from the domain in the “From:” header. In other words, DKIM passing doesn’t inherently consider alignment.
- DKIM alignment refers to the condition where the domain specified in the “d=” tag of the DKIM signature aligns with the domain in the “From:” header. Alignment checks ensure that the domains are the same or are part of an authentication mechanism that indicates legitimacy.
- For DKIM alignment, the signing domain in the DKIM signature is typically validated against the domain in the “From:” header. If they align, DKIM alignment is achieved.