First look at DKIM2: The next generation of DKIM

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records.

Now in 2024, DKIM is ready for a facelift, with the introduction of DKIM2, designed to update and replace the existing DKIM1 solution.

What is DKIM?

DKIM is a protocol currently defined by RFC 6376 that uses cryptographic hashes to verify that an email originates from or passed through the claimed mail server and has not been further altered in transit.

This is done using asymmetric encryption, which pairs a public and private key. The private key is held securely by the sender’s mail server and is used to create a digital signature on the email. Meanwhile, the public key is published in the sender’s DNS records, making it accessible for recipients to verify the authenticity of received messages.

When an email is sent, the headers and body are signed with the private key to generate a unique digital signature included as a header in the message. On the recipient’s side, if DKIM is supported, the server retrieves the public key from the sender’s DNS to check if the email was genuinely signed by the sender’s domain. A successful signature verification confirms that the message was indeed sent by the identified domain and that its contents remained intact during transit. It is worth remembering that DKIM itself does not block or allow any email; DMARC does this in conjunction with the DKIM signature passing authentication and alignment of the domain of the signature.

Introducing DKIM2

DKIM2 is the proposed successor of DomainKeys Identified Mail (DKIM1). Building on the foundation of DKIM1, DKIM2 introduces stronger cryptographic standards and improved compatibility with intermediary mail servers that forward emails or otherwise manipulate them. These upgrades enhance the reliability of email authentication, helping to prevent email spoofing and phishing attacks while making it easier for organizations to protect their domains in an increasingly complex digital landscape.

In addition to improved security features, DKIM2 streamlines key management, allowing for easier and more frequent rotation of cryptographic keys to maintain security standards. It also enhances reporting and transparency, enabling organizations to monitor email traffic more effectively and quickly identify any unauthorized use of their domain. These enhancements make DKIM2 a valuable tool for organizations looking to strengthen email security and reduce the risk of fraudulent messages.

How will DKIM2 benefit my organization? 

DKIM2 will offer organizations several advantages over DKIM1 by addressing some of the limitations in the original protocol, making email authentication more secure and adaptable to modern email ecosystems. Here are some key ways DKIM2 improves support for organizations:

  1. Enhanced cryptographic standards: DKIM2 introduces stronger cryptographic algorithms, reducing vulnerabilities to advanced attacks and providing better protection for high-volume email domains and organizations handling sensitive information. It also reduces cryptographic calculations on large mail providers by only checking the first signature if the message was not altered.
  2. Forwarder flexibility and resilience: DKIM2 introduces a key point to help mitigate and increase resilience against intermediary forwarding such as mailing lists. DKIM2 will ask mailing lists or other forwarders that alter any headers to record the previous header contents to undo for checking purposes. Coupled with the numbered signatures, this makes it easy to verify the email at every step.
  3. Greater transparency and reporting: DKIM2 includes expanded reporting capabilities, allowing organizations to receive detailed information on DKIM-related authentication failures and insights into potential misuse through feedback loops. This helps in monitoring and quickly responding to unauthorized use of their domains.
  4. Improved key management and rotation: DKIM2 provides streamlined key rotation practices, making it easier for organizations to regularly update their cryptographic keys and minimize the risks associated with compromised or outdated keys.

In short, DKIM2 is designed to offer greater resilience, security, and operational ease, making it a more robust solution for protecting organizational email domains against modern email threats. While still under draft and subject to changes, DKIM2 will bring many improved benefits for users soon.

If you’re looking to enhance your email security, speak to the Red Sift team today.

PUBLISHED BY

Red Sift

5 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more
DMARC

Why DMARC matters: Protect your organization from evolving phishing threats

Jack Lilley

Phishing campaigns continue to change. Attackers are adapting faster than traditional security tools, using more subtle methods to bypass filters and reach inboxes. The latest KnowBe 4 Phishing Threat Trends Report (2025) shows a steady increase in attacks that slip through email security platforms and a growing use of techniques that avoid detection, increasing…

Read more