--- title: "What is DKIM2?" description: "DKIM2 is the next version of DKIM with improved security and support for forwarded emails. Learn what DKIM2 is and why it matters for email authentication." url: "https://lettermint.co/knowledge-base/definitions/what-is-dkim2" published: "2025-10-24" last_updated: "2025-10-24" --- # What is DKIM2? > DKIM2 is the next version of DKIM with improved security and support for forwarded emails. Learn what DKIM2 is and why it matters for email authentication. Email security keeps evolving, and that's a good thing. After almost 20 years, DKIM is getting a major update called DKIM2. This new email security standard addresses problems that have emerged over the years and makes email even more secure. DKIM2 brings significant improvements, especially for forwarded messages and mailing lists. We previously wrote the article '[What is DKIM](https://lettermint.co/knowledge-base/definitions/what-is-dkim)'. In it, we explain exactly what current *DKIM1* is and what it does for email security. We recommend reading that article first to make the transition to DKIM2 easier to understand. ## What is DKIM2 DKIM2 is the second version of **DomainKeys Identified Mail** and is currently under development. Where DKIM (now called [DKIM1](https://lettermint.co/knowledge-base/definitions/what-is-dkim)) proves that an email comes from a specific domain, DKIM2 goes one step further. It documents the entire route an email takes from sender to recipient. Every mail server that handles the email adds its own signature. This way, you can see exactly which systems have processed the email. ### Example With DKIM1, this can sometimes cause confusion: when forwarding, a line is automatically added like "Forwarded by John Smith". That single extra line breaks the DKIM security slightly. The email usually still arrives, but the recipient's mail server can no longer verify whether the content is unchanged. With DKIM2, it works differently. When your mail server sends the order confirmation, it adds a DKIM2 signature. When the customer forwards the email, their mail server adds its own signature and records what change was made (that one line "Forwarded by..."). The bookkeeper's mail server can now see exactly: 1. The email really comes from your webshop (first signature) 2. The customer forwarded the email (second signature) 3. No changes were made to the original email This way, the recipient's mail provider can see that the original email hasn't been modified. ## Why DKIM2 is coming In 2007, when DKIM was introduced, email looked very different. We mainly sent **emails directly to one recipient**. Today, you receive order confirmations from webshops, newsletters from companies, and password reset emails from applications. **In short: we use email in far more ways than ever before**. Meanwhile, cybercriminals haven't been sleeping either. Where they mainly sent simple emails 20 years ago, they now use advanced techniques to bypass existing security measures like DKIM. ### Current problems with DKIM1 DKIM1 works well but has several weak spots that cause problems in practice: #### Forwarded emails When an email is forwarded and something changes (like a disclaimer or unsubscribe link), DKIM1 security breaks. The email usually still arrives, but mail servers can no longer verify whether the content is unchanged. DKIM2 tracks what changes were made, so this remains verifiable. #### Replaying old emails (Replay Attack) DKIM1 has no timestamp. This means a cybercriminal can resend an old email and mail servers will accept it because the security still checks out. This is called a *Replay Attack*. Example: a webshop sends you an email with a discount code. A bad actor can resend that same email months later to thousands of people. DKIM2 adds a timestamp, allowing mail servers to see that an email is too old to still be valid. We especially see this around [Black Friday and the busy holidays](https://lettermint.co/knowledge-base/deliverability/prevent-emails-spam-holidays-gmail-outlook) when webshops mass-send discount codes. Cybercriminals collect these emails and resend them later. #### Error messages to the wrong person (Backscatter) When an email can't be delivered, the sender normally gets a [bounce](https://lettermint.co/knowledge-base/deliverability/understanding-email-statuses-hard-bounce-delivered-pending) notification. Cybercriminals exploit this by using your email address as the sender of spam. All error messages then come to you, while you never sent those emails. This is called *backscatter*. DKIM2 solves this by sending error messages back to the mail server that actually sent the email, instead of to the email address listed as sender. ## The difference between DKIM and DKIM2 DKIM2 builds on DKIM1 but solves several important problems. The table below shows the main differences: | Feature | DKIM1 | DKIM2 | | ------------------------ | ---------------- | ------------- | | Basic signature (sender) | Yes | Yes | | Timestamp | No | Yes | | Recipient information | No | Yes | | Track modifications | No | Yes | | Multiple signatures | Yes, but limited | Yes, complete | | Backscatter protection | No | Yes | | Replay Attack protection | No | Yes | > **Note:** By signatures, we mean digital security codes that are automatically added > by mail servers. This has nothing to do with the signature you add to the > bottom of your emails yourself. ## When will DKIM2 be available? DKIM2 is currently still under development at the IETF ([Internet Engineering Task Force](https://www.ietf.org/)). This is the organization that establishes internet standards. The specifications are currently being worked out and tested. There's no definitive date for the rollout yet. New email standards often take years before they're widely supported. Think of [DMARC](https://lettermint.co/knowledge-base/definitions/what-is-dmarc): that standard was introduced in 2012, but was only really widely used by major mail providers years later. DKIM2 is expected to be rolled out gradually. Large mail providers like Gmail, Outlook, and Yahoo will likely add support first. Then email service providers like Lettermint will follow. For users, little will change: the transition will happen largely automatically. ## How will this benefit me? DKIM2 brings benefits for everyone who uses email. Whether you send or receive emails, the improved security means fewer problems. ### For senders Your emails arrive as intended, even when recipients forward them. This also applies to emails from different [subdomains](https://lettermint.co/knowledge-base/deliverability/what-is-an-email-subdomain-and-when-should-you-use-one). Cybercriminals can no longer resend old emails from your domain or abuse your address without this being noticed. ### For recipients You're better protected against fake emails. Mail servers can see exactly what route an email has taken and whether anything was modified along the way. Old emails that are resent are also automatically recognized. ## Conclusion DKIM2 is the next step in email security. Where DKIM1 mainly proves that an email comes from your domain, DKIM2 documents the entire route an email takes. Forwarded messages remain trustworthy, old emails cannot be resent, and cybercriminals can no longer abuse your domain as easily. DKIM2 is currently still under development. At Lettermint, we're closely following these developments and will implement the new standard as soon as it becomes available. What you can do now: make sure your [DKIM](https://lettermint.co/knowledge-base/definitions/what-is-dkim), [SPF](https://lettermint.co/knowledge-base/definitions/what-is-spf), and [DMARC](https://lettermint.co/knowledge-base/definitions/what-is-dmarc) are correctly configured. Then you'll be ready when DKIM2 becomes available.