What is DKIM2?

Email security keeps evolving, and that's a good thing. After almost 20 years, DKIM is getting a major update called DKIM2. This new email security standard addresses problems that have emerged over the years and makes email even more secure. DKIM2 brings significant improvements, especially for forwarded messages and mailing lists.

We previously wrote the article 'What is DKIM'. In it, we explain exactly what current DKIM1 is and what it does for email security. We recommend reading that article first to make the transition to DKIM2 easier to understand.

What is DKIM2

DKIM2 is the second version of DomainKeys Identified Mail and is currently under development.

Where DKIM (now called DKIM1) proves that an email comes from a specific domain, DKIM2 goes one step further. It documents the entire route an email takes from sender to recipient. Every mail server that handles the email adds its own signature. This way, you can see exactly which systems have processed the email.

Example

With DKIM1, this can sometimes cause confusion: when forwarding, a line is automatically added like "Forwarded by John Smith". That single extra line breaks the DKIM security slightly. The email usually still arrives, but the recipient's mail server can no longer verify whether the content is unchanged.

With DKIM2, it works differently. When your mail server sends the order confirmation, it adds a DKIM2 signature. When the customer forwards the email, their mail server adds its own signature and records what change was made (that one line "Forwarded by..."). The bookkeeper's mail server can now see exactly:

1. The email really comes from your webshop (first signature)
2. The customer forwarded the email (second signature)
3. No changes were made to the original email

This way, the recipient's mail provider can see that the original email hasn't been modified.

Why DKIM2 is coming

In 2007, when DKIM was introduced, email looked very different. We mainly sent emails directly to one recipient. Today, you receive order confirmations from webshops, newsletters from companies, and password reset emails from applications. In short: we use email in far more ways than ever before.

Meanwhile, cybercriminals haven't been sleeping either. Where they mainly sent simple emails 20 years ago, they now use advanced techniques to bypass existing security measures like DKIM.

Current problems with DKIM1

DKIM1 works well but has several weak spots that cause problems in practice:

Forwarded emails

When an email is forwarded and something changes (like a disclaimer or unsubscribe link), DKIM1 security breaks. The email usually still arrives, but mail servers can no longer verify whether the content is unchanged. DKIM2 tracks what changes were made, so this remains verifiable.

Replaying old emails (Replay Attack)

DKIM1 has no timestamp. This means a cybercriminal can resend an old email and mail servers will accept it because the security still checks out. This is called a Replay Attack.

Example: a webshop sends you an email with a discount code. A bad actor can resend that same email months later to thousands of people. DKIM2 adds a timestamp, allowing mail servers to see that an email is too old to still be valid.

We especially see this around Black Friday and the busy holidays when webshops mass-send discount codes. Cybercriminals collect these emails and resend them later.

Error messages to the wrong person (Backscatter)

When an email can't be delivered, the sender normally gets a bounce notification. Cybercriminals exploit this by using your email address as the sender of spam. All error messages then come to you, while you never sent those emails. This is called backscatter.

DKIM2 solves this by sending error messages back to the mail server that actually sent the email, instead of to the email address listed as sender.

The difference between DKIM and DKIM2

DKIM2 builds on DKIM1 but solves several important problems. The table below shows the main differences:

When will DKIM2 be available?

DKIM2 is currently still under development at the IETF (Internet Engineering Task Force). This is the organization that establishes internet standards. The specifications are currently being worked out and tested.

There's no definitive date for the rollout yet. New email standards often take years before they're widely supported. Think of DMARC: that standard was introduced in 2012, but was only really widely used by major mail providers years later.

DKIM2 is expected to be rolled out gradually. Large mail providers like Gmail, Outlook, and Yahoo will likely add support first. Then email service providers like Lettermint will follow. For users, little will change: the transition will happen largely automatically.

How will this benefit me?

DKIM2 brings benefits for everyone who uses email. Whether you send or receive emails, the improved security means fewer problems.

For senders

Your emails arrive as intended, even when recipients forward them. This also applies to emails from different subdomains. Cybercriminals can no longer resend old emails from your domain or abuse your address without this being noticed.

For recipients

You're better protected against fake emails. Mail servers can see exactly what route an email has taken and whether anything was modified along the way. Old emails that are resent are also automatically recognized.

Conclusion

DKIM2 is the next step in email security. Where DKIM1 mainly proves that an email comes from your domain, DKIM2 documents the entire route an email takes. Forwarded messages remain trustworthy, old emails cannot be resent, and cybercriminals can no longer abuse your domain as easily.

DKIM2 is currently still under development. At Lettermint, we're closely following these developments and will implement the new standard as soon as it becomes available.

What you can do now: make sure your DKIM, SPF, and DMARC are correctly configured. Then you'll be ready when DKIM2 becomes available.