Is DKIM2 the next chapter in email authentication?

 

The current version of DKIM (DomainKeys Identified Mail) that you might be using was introduced in 2011. A lot has happened in the cybersecurity world since then. Indeed, we have evolved a lot, but so have the hackers! They’ve become smarter, employing sophisticated tricks to impersonate emails, steal data, and scam companies.

And that’s where DKIM comes in! It adds a digital signature to emails, verifying that they truly originate from the domain of the sender and haven’t been altered in transit. Even though this version is still effective, cyberattackers are finding new ways to outsmart these protocols. This means it’s time to upgrade our security game! 

It’s 2025, and we finally have a new version of DKIM— DKIM2! DKIM2 is designed to take email security to the next level, addressing the weaknesses of its predecessor and adapting to the ever-evolving threat landscape.

Let us take a look at what this new version of DKIM is all about. And why do we even need to replace the existing version with DKIM2?

 

Why do we even need to replace DKIM?

DKIM has been protecting emails for years by adding a digital signature that authenticates that an email is legitimate. But since hackers have become increasingly sophisticated, DKIM1—the one we have been using since 2007—has begun to develop some vulnerabilities. This is why we need an upgraded version. 

Let us take a look at how the loopholes in DKIM1 are paving the way for an upgraded version:

 

Emails get altered during forwarding

One of the biggest issues with DKIM1 is that it doesn’t work well with email modifications. When emails go through intermediaries such as mailing lists or spam filters, they sometimes get altered a little bit—for instance, multiple disclaimers are added, or an email header is tweaked. So, even the slightest change in the email can invalidate DKIM1’s digital signature, which leads to authentication failure and the email ending up in the spam folder. In such cases, even if the email is authentic and hasn’t been changed per se, it won’t reach the recipient. 

 

 

 

Hackers exploit DKIM signatures for replay attacks

DKIM1 has one big loophole—replay attack. In these attacks, attackers can copy an email that was signed with DKIM, forward it several times, and even alter the body content while continuing to maintain the legitimate DKIM signature. Since the valid email signature is still retained, mail servers can unknowingly perceive it as legitimate, despite the fact that it’s now being misused for spam, phishing, or fraud.

 

No standardized feedback on DKIM failures

Right now, when an email that has been signed with a DKIM signature fails, there is no standardized way for email providers to notify the senders about this failure. Some businesses do implement their own feedback loops, but these aren’t the same across various email systems. This makes it difficult for businesses to figure out if their emails are being delivered properly or marked as spam. 

 

Innocent domains suffer from the backscatter problem

Sometimes, scammers forge email sender addresses while sending fraudulent emails, and when these emails don’t get delivered, it negatively impacts the real domain owner. What happens is, when the message doesn’t get through, the system sends a “failure notice” (Delivery Status Notification, or DSN) to the legitimate email owner who never had any part in this! This is called backscatter. This becomes a real headache for the domain owner, as it not only fills up your inbox with unwanted failure notices but also damages your domain’s reputation.

 

 

What is DKIM2?

To put it simply, DKIM2 is the new and improved version of DKIM1. 

As we have already established, DKIM1 had some vulnerabilities that hackers could easily leverage, making email authentication less reliable. So, the upgraded version, DKIM2, offers enhanced security with improved encryption, better management of forwarded emails, and simplified key management to secure emails.

In short, this version is designed to help you easily monitor email activity, enabling you to detect and prevent malicious emails from reaching their destination. 

 

In what ways is DKIM2 better than DKIM1?

DKIM2 addresses the gaps left behind by its predecessor, DKIM1, which makes it more reliable and adaptable to modern email threats. 

Let us take a look at all the ways that DKIM2 improves upon DKIM1:

 

 

Standardized headers for added security

DKIM1 does not sign all email headers correctly at all times, which leaves loopholes that can be exploited by hackers. DKIM2 ensures that all critical email headers are signed in a standard manner so that there is no ambiguity and no vulnerabilities for hackers to exploit. This ensures that email authentication remains consistent and secure.

 

Stops backscatter spam

Do you ever get strange failure notifications for emails you never sent?

That is because spammers forge your email address, and when their messages bounce, the bounce-back notifications are sent to you and not them.

DKIM2 fixes this issue by ensuring that the failure notices only reach the last mail server that handled the email, so innocent users are not spammed with false error messages.

 

Easier error handling

With DKIM1, when an email bounces or doesn’t get delivered, it doesn’t necessarily make it simple to determine what went wrong. But with DKIM2, it’s a lot easier to track errors so that you can understand why an email failed and fix those problems immediately. It also allows mailing lists to track, manage, and undo the changes they made, making it easier to check whether an email has been altered. 

 

Prevent DKIM replay attacks

One of the main issues with DKIM1 is that an attacker can take a DKIM-signed message and send it repeatedly to various individuals, making them believe it’s a genuine message. DKIM2 resolves this by including timestamps and recipient information, allowing the emails to be easily detected and blocked if they are replayed.

 

 

Enhanced encryption

DKIM2 is compatible with different types of encryption, such as RSA, elliptic curve, and even post-quantum encryption in the future. This means that if an encryption method is compromised or becomes outdated, you can simply switch to a more secure one without disrupting email authentication.

 

Lesser cryptographic computations for faster processing

DKIM1 makes email servers verify all DKIM signatures on an email, which slows down the process. However, DKIM2 checks the first valid DKIM signature if the email hasn’t been changed, making the process faster and more efficient.