DKIM uses DNS-based self-certified keys. Because the scope of DKIM is limited, it does not need generalized, powerful, expensive, long-term certificates, issued by separate certificate authorities. The sender generates private/public key pair for the domain as if for SSL (Secure Sockets Layer). The sender broadcasts the public key to the Internet at large by registering it as a phony sub DNS name.
DKIM-signed messages don’t require the recipient to implement the signing protocol. Checking incoming mail is optional. It is implemented with an extra line in the header of the message of type DKIM-Signature that is usually ignored.
You might think the spammer could successfully spoof a domain simply by leaving the DKIM-Signature header off. But once the recipient knows that a domain supports DKIM, ever after he rejects all unsigned mail purporting to be from that domain. The spammer has to counterfeit a domain that does not sign with DKIM. That domain then becomes suspect, which encourages them to implement DKIM. If all goes well, everyone will eventually support DKIM, leaving the spammers no reputable domain to spoof.
This page is posted
Optional Replicator mirror
Your face IP:[18.104.22.168]
You are visitor number|