DKIM: the seal on your e-mail

DKIM: the seal on your e-mail

23-01-2018 14:18:58

“Municipalities in the Netherlands are supposed to have implemented several internet standards for better security on their email by the end of 2017”, wrote former minister of Internal Affairs Ronald Plasterk in response to parliamentary questions in 2016 about secured email from municipalities.

A sampling test by the magazine ‘Binnenlands Bestuur’ (Internal Management) in 2016 showed that the state of the security of emailing systems in municipalities is not very good. Of the 50 municipalities that were tested, only three met the mandatory security standards for email. They were checked for internet standards DKIM, SPF and DMARC, which are used to secure emailing systems against phishing, spam and viruses. 

A seal

The internet standard DKIM, which stands for DomainKeys Identified Mail, turns the sending server into a cryptographic has by using a ‘private key’ and adds the hash to an email in the form of a so-called DKIM header. A kind of seal on the email envelope.

But how does DKIM work exactly? The outgoing and incoming mailing server has to support DKIM. Postfix, Exim and Microsoft Exchange support this protocol. Secondly, a public-private-keypair needs to be generated; a private key for the mailing server and a public key for in the DNS. DKIM sets a ‘selector’, which is included in the header of the email. This selector indicates which record in the DNS should be looked at for the public key. The private key puts the hash in the email on the sending server. With the public key, the incoming mail server checks the DNS whether the hash with the public key matches the DNS

As described before provides a kind of seal for emails. DKIM guarantees that no one has messed with an email after the DKIM header is set. The combination with SPF and DMARC makes it less likely for malicious emails coming from the DKIM supporting domain to end up in inboxes. As a sender of email, you increase your chances of proper emails from your domain being sent and malicious emails from your domain are being stopped.

DKIM headers standard at BIT

DKIM is not yet supported by all email providers. BIT adds DKIM headers to all our clients’ outgoing mail. Our clients add the BIT DKIM public key to the DNS of their own domain once. This way all our clients profit from the DKIM protocol with minimum effort.

Would you like to learn more about DKIM?

You can check whether your domain supports DKIM at Here you can also immediately check whether your email and website meet the other modern and secure internet standards. Do your email and website also score 100% on For questions, contact us on +31 318 648 688 or on We are happy to help you! also makes 'how-to's' available with practical information that can help you implement these standards. Read more about the implementation of SPF, DKIM and DMARC on the Postfix mail server on the SIDN site.