--- title: "Inside RFC 6376: How DKIM Verification Actually Works | AutoSPF" description: "A technical walkthrough of how receiving servers verify DKIM signatures under RFC 6376 - from header extraction to canonicalization, body hash, and signature check." image: "https://autospf.com/og/blog/inside-rfc-6376-how-dkim-verification-actually-works.png" canonical: "https://autospf.com/blog/inside-rfc-6376-how-dkim-verification-actually-works/" --- Quick Answer DKIM verification under RFC 6376 follows five steps: the receiving server extracts the DKIM-Signature header, looks up the public key in DNS using the selector and signing domain, canonicalizes the message, recomputes and compares the body hash, and finally verifies the cryptographic signature with the public key. If any step fails, the DKIM check fails. ## Try Our Free DKIM Lookup Auto-discover DKIM selectors for any domain. [ Discover DKIM Selectors → ](/tools/dkim-lookup/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Finside-rfc-6376-how-dkim-verification-actually-works%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Inside%20RFC%206376%3A%20How%20DKIM%20Verification%20Actually%20Works&url=https%3A%2F%2Fautospf.com%2Fblog%2Finside-rfc-6376-how-dkim-verification-actually-works%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Finside-rfc-6376-how-dkim-verification-actually-works%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Finside-rfc-6376-how-dkim-verification-actually-works%2F&title=Inside%20RFC%206376%3A%20How%20DKIM%20Verification%20Actually%20Works "Share on Reddit") [ ](mailto:?subject=Inside%20RFC%206376%3A%20How%20DKIM%20Verification%20Actually%20Works&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Finside-rfc-6376-how-dkim-verification-actually-works%2F "Share via Email") ![RFC 6376: DKIM verification process diagram](https://media.mailhop.org/autospf/images/2026/04/spf-permerror-3544.jpg) DKIM verification under [RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376) follows five steps: the receiving server extracts the `DKIM-Signature` header, retrieves the public key from DNS using the `s=` selector and `d=` signing domain, canonicalizes the message according to the `c=` tag, recomputes and compares the body hash in `bh=`, and verifies the signature in `b=` against the public key. If any step fails, the DKIM check fails and the receiver decides whether to accept, quarantine, or reject the message. Learn more in our [comprehensive DKIM guide](/blog/what-is-dkim-email-authentication-guide/). Every email that your recipients receive comes with an invisible claim that “this email is from who it says it comes from and is sent as it is without any alterations or tampering.” For the longest time, there was no protocol or measure to substantiate this claim; perhaps that’s why [cybercriminals](https://incyber.org/en/article/united-states-amounts-stolen-by-cybercriminals-up-33/) exploited this gap to send out phishing and spoofing emails. It was only in 2011 that the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet%5FEngineering%5FTask%5FForce) published RFC 6376, standardizing DomainKeys Identified Mail (DKIM) to **protect outgoing emails** from being spoofed or tampered with along the way to recipients’ inboxes. [DKIM](/blog/how-dkim-works-a-comprehensive-guide-to-email-authentication/) goes beyond relying solely on the “From” address to **verify email legitimacy**; it uses cryptographic signatures to sign outgoing messages to confirm their authenticity. When the receiving server receives the email, it checks the DKIM signature and verifies it using the public key stored in your [DNS records](https://www.cloudflare.com/learning/dns/dns-records/). If the DKIM signature can be successfully verified using the public key, the email is considered authentic and safe to deliver. If it cannot, the **DKIM check** fails, and the email may be marked as suspicious, [sent to spam](https://www.cbc.ca/news/canada/british-columbia/surrey-teachers-suspension-emails-spam-9.7107633), or rejected altogether. This is what happens on the outside; what goes on behind the scenes is more technical and governed by RFC 6376\. Let’s dig deeper and understand how DKIM verification actually works. ## What is a DKIM signature, and what information does it contain? ![Anatomy of a DKIM signature](https://media.mailhop.org/autospf/images/2026/04/spf-flatterning-5177.jpg) A DKIM signature is not a typical signature that you add at the end of your messages; it is a special header attached to the outgoing email by the sending server. This header contains everything a receiving server needs to verify the message: the signing domain, the algorithm used, the headers that were signed, a hash of the message body, and the **cryptographic signature** itself. A typical DKIM signature looks like this: ``` DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=big-email; c=relaxed/relaxed; q=dns/txt; t=1614350000; h=from:to:subject; bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=; b=LiIvJeRyqMo0gngiCygwpiKphJjYezb5kXBKCNj8DqRVcCk7obK6OUg4o+EufEbB tRYQfQhgIkx5m70IqA6dP+DBZUcsJyS9C+vm2xRK7qyHi2hUFpYS5pkeiNVoQk/Wk4w ZG4tu/g+OA49mS7VX+64FXr79MPwOMRRmJ3lNwJU= ``` Each **syntax and semantic element** of the [DKIM signature](https://docs.mapp.com/docs/dkim-signature) is defined by RFC 6376 to ensure that it works uniformly across various mail agents and verification systems. Some major tags you should know about: - `v=` tells the DKIM version being used - `a=` specifies which signing algorithm was used, such as [rsa-sha256](https://bluetickconsultants.medium.com/how-sha-256-and-rsa-encryption-improve-user-authentication-in-web-applications-d627aeb81c6a) - `d=` identifies the domain that signed the email - `s=` specifies the selector used to locate the correct public key in DNS - `c=` defines the **canonicalization method for headers and body** - `h=` lists the [email headers](https://www.campaignmonitor.com/resources/knowledge-base/what-is-an-email-header/) that were included in the signature - `bh=` contains the hash of the email body - `b=` contains the actual DKIM signature value When these fields come together, they give the receiving server the complete picture of the outgoing email: how it was signed, which domain signed it, and where to find the [public key](https://www.techtarget.com/searchsecurity/definition/public-key) needed for verification. ## What goes on behind the scenes of DKIM verification? ![Five steps of DKIM verification](https://media.mailhop.org/autospf/images/2026/04/spf-record-check-3225.jpg) DKIM verification does not happen by simply matching the public and [private key](https://www.investopedia.com/terms/p/private-key.asp); it is a **standardized verification process**, defined by RFC 6376\. Following this framework ensures that every receiving server validates DKIM signatures in a consistent and secure way. Here’s what happens step by step: ### How does a receiving server extract the DKIM-Signature header? When the receiving server receives an email, the first thing it does is look for the **DKIM signature header** in the incoming mail. This header contains all the information needed to verify the email, such as the signing domain, selector, canonicalization method, signed headers, body hash, and the DKIM signature itself. ### How is the public key retrieved from DNS? Once the server has these details, the next step is to retrieve the public key linked to the [sender’s domain](https://www.copernica.com/en/documentation/sender-domains). It does this by querying DNS using the selector (`s=`) and signing domain (`d=`) mentioned in the `DKIM-Signature` header. For example, if the DKIM signature contains `s=selector` and `d=example.com`, the receiving server looks up: ``` selector._domainkey.example.com ``` The retrieved public key must align with the declared signing domain in the DKIM signature to confirm that the message is indeed coming from where it claims to be. ![DNS public key lookup diagram](https://media.mailhop.org/autospf/images/2026/04/spf-report.jpg) ### How does canonicalization normalize the message? Before the receiving server can verify the DKIM signature, it first has to standardize the email. This process is called [canonicalization](https://www.immwit.com/wiki/canonicalization/). Depending on the method specified in the `c=` tag, the **server processes** the email headers and body in a consistent format. This helps prevent minor changes, such as extra spaces, line breaks, or different capitalization, from causing the DKIM check to fail. ### How is the body hash verified? After the message has been canonicalized, the receiving server computes the hash of the email body and compares it with the value stored in the `bh=` tag of the DKIM signature. If both match, the email was not changed after signing and is considered safe. ### How is the DKIM signature itself verified? If the **body hash matches**, the next step is to verify the DKIM signature. The receiver uses the public key stored in DNS to verify the signature stored in the `b=` tag. If the two values align, it confirms that the email was signed by the [claimed domain](https://portal.snapaddy.com/knowledge/what-are-claimed-domains) and that the signed parts of the message were not altered after signing. ![DKIM verification flow](https://media.mailhop.org/autospf/images/2026/04/spf-lookup-6444.jpg) ## Why DKIM alone is not enough Now that you know what goes on behind DKIM verification, it might be easier to understand why **implementing DKIM** is not as easy as it seems. With all the technical complexities and moving parts, even a small mistake can compromise your [email deliverability](/blog/optimizing-email-deliverability-strategies-for-success/) and leave your domain exposed to [spoofing and phishing](https://www.msspalert.com/brief/novel-usps-spoofing-phishing-attack-relies-on-malicious-pdfs) attempts. DKIM verifies message integrity, but it does not tell receivers which IPs are allowed to send on your behalf - that is the job of [SPF](/blog/what-spf-records-are-and-how-they-protect-email-domains/). And neither DKIM nor SPF, on its own, tells receivers what to do when authentication fails - that is the job of [DMARC](/blog/why-spf-alignment-matters-in-dmarc-enforcement/). Full protection requires all three layers, correctly aligned. This is why it is recommended that you rely on a trusted [email authentication](/blog/role-relevance-of-dns-spf-records-for-email-authentication/) expert. [AutoSPF](/) enhances [email security](/blog/spf-best-practices-cisos-guide-to-email-security/) by automatically managing [SPF records](/blog/what-spf-records-are-and-how-they-protect-email-domains/) \- the layer DKIM cannot cover - helping prevent spoofing and **improving email authentication reliability**. If you want to start your email authentication journey, [reach out to us](/contact-us/) to get started. ## Topics [ DKIM ](/tags/dkim/)[ email security ](/tags/email-security/)[ SPF record ](/tags/spf-record/) ![Adam Lundrigan](https://media.mailhop.org/autospf/images/authors/adam-lundrigan.jpg) [ Adam Lundrigan ](/authors/adam-lundrigan/) CTO CTO of DuoCircle. Architect of AutoSPF's SPF flattening engine and DNS monitoring infrastructure. [LinkedIn Profile →](https://www.linkedin.com/in/adamlundrigan/) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Advanced 8m What is the ‘554 5.7.5’ permanent error in DMARC and how to fix it? Jul 9, 2024 ](/blog/554-5-7-5-permanent-error-in-dmarc-and-how-to-fix-it/)[ Advanced 10m AutoSPF’s Guide to Configuring SPF & DKIM for Avanan: A Detailed Walk-through Nov 26, 2025 ](/blog/autospf-guide-configuring-spf-dkim-for-avanan-detailed-setup-walkthrough/)[ Advanced 24m Best DNS Security Tools for Email in 2026 SPF, DKIM & DMARC Management Compared Apr 28, 2026 ](/blog/best-dns-security-tools-email-2026-spf-dkim-dmarc-compared/)[ Advanced 23m Best Email Authentication Tools For Enterprise in 2026 The Complete Guide Apr 30, 2026 ](/blog/best-email-authentication-tools-enterprise-2026-complete-guide-solutions/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Inside RFC 6376: How DKIM Verification Actually Works","description":"A technical walkthrough of how receiving servers verify DKIM signatures under RFC 6376 - from header extraction to canonicalization, body hash, and signature check.","url":"https://autospf.com/blog/inside-rfc-6376-how-dkim-verification-actually-works/","datePublished":"2026-04-10T19:40:34.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2026-04-10T19:40:34.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/adam-lundrigan/#person","name":"Adam Lundrigan","url":"https://autospf.com/authors/adam-lundrigan/","jobTitle":"CTO","description":"Adam Lundrigan is the Chief Technology Officer of DuoCircle, where he leads engineering and is responsible for the architecture of AutoSPF's SPF flattening engine and DNS monitoring infrastructure. His technical focus is the DNS-level behavior of SPF evaluation, the recursive include resolution logic that underpins flattening, and the monitoring systems that keep customer SPF records healthy as their upstream vendors change IP ranges.","image":"https://media.mailhop.org/autospf/images/authors/adam-lundrigan.jpg","knowsAbout":["SPF Flattening","DNS Architecture","Recursive Include Resolution","SaaS Engineering","DNS Monitoring","Infrastructure Automation"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/adamlundrigan/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/inside-rfc-6376-how-dkim-verification-actually-works/"},"articleSection":"advanced","keywords":"DKIM, email security, SPF record","wordCount":1119,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2026/04/spf-permerror-3544.jpg","caption":"RFC 6376: DKIM verification process diagram","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How does a receiving server extract the DKIM-Signature header?","acceptedAnswer":{"@type":"Answer","text":"When the receiving server receives an email, the first thing it does is look for the **DKIM signature header** in the incoming mail. This header contains all the information needed to verify the email, such as the signing domain, selector, canonicalization method, signed headers, body hash, and t..."}},{"@type":"Question","name":"How is the public key retrieved from DNS?","acceptedAnswer":{"@type":"Answer","text":"Once the server has these details, the next step is to retrieve the public key linked to the [sender's domain](https://www.copernica.com/en/documentation/sender-domains). It does this by querying DNS using the selector (`s=`) and signing domain (`d=`) mentioned in the `DKIM-Signature` header."}},{"@type":"Question","name":"How does canonicalization normalize the message?","acceptedAnswer":{"@type":"Answer","text":"Before the receiving server can verify the DKIM signature, it first has to standardize the email. This process is called [canonicalization](https://www.immwit.com/wiki/canonicalization/). Depending on the method specified in the `c=` tag, the **server processes** the email headers and body in a c..."}},{"@type":"Question","name":"How is the body hash verified?","acceptedAnswer":{"@type":"Answer","text":"After the message has been canonicalized, the receiving server computes the hash of the email body and compares it with the value stored in the `bh=` tag of the DKIM signature. If both match, the email was not changed after signing and is considered safe."}},{"@type":"Question","name":"How is the DKIM signature itself verified?","acceptedAnswer":{"@type":"Answer","text":"If the **body hash matches**, the next step is to verify the DKIM signature. The receiver uses the public key stored in DNS to verify the signature stored in the `b=` tag. If the two values align, it confirms that the email was signed by the [claimed domain](https://portal.snapaddy.com/knowledge/..."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Advanced","item":"https://autospf.com/advanced/"},{"@type":"ListItem","position":4,"name":"Inside RFC 6376: How DKIM Verification Actually Works","item":"https://autospf.com/blog/inside-rfc-6376-how-dkim-verification-actually-works/"}]} ```