Skip to content
Core conceptThe DDMARC Library

What is DKIM2? The Proposed Next Generation of DKIM

DKIM2 is a proposed IETF evolution of DKIM aimed at stopping DKIM replay abuse and fixing how signatures break on forwarding. Learn what it is, its status, and DDMARC's roadmap.

5 min readRevised By the DDMARC editors

What is DKIM2?

DKIM2 is a proposed next generation of DKIM (DomainKeys Identified Mail) currently being developed in the IETF. It aims to address structural weaknesses in the original DKIM standard (RFC 6376) — most notably DKIM replay abuse and the way ordinary DKIM signatures break when messages are forwarded or pass through mailing lists.

DKIM2 is not yet a finalized standard. It is an active work in progress: the specification, and the DNS record format that will accompany it, are still being drafted, and no mainstream sender or receiver enforces DKIM2 in production today. This page explains where DKIM2 is headed and how DDMARC plans to support it.

The Problems DKIM2 Aims to Solve

DKIM replay. A standard DKIM signature stays valid for as long as the key is published, and it says nothing about who the message was sent to. An attacker can take a single message your domain legitimately signed and re-send — "replay" — it to huge numbers of recipients, riding on your domain's good reputation to land spam or phishing in inboxes. This is a real, actively exploited weakness, and it is difficult to stop with DKIM as it exists today.

Forwarding and mailing lists. DKIM signs specific headers and the message body. When an intermediary — a mailing list, a forwarder, a "share this article" gateway — adds a footer, tags the subject, or otherwise rewrites the message, the signature no longer validates. ARC was introduced as a patch to preserve earlier authentication results across these hops, but it is an add-on rather than a fix to DKIM itself.

How DKIM2 Is Expected to Work

The exact mechanics are still being specified, so the points below describe the direction of the work rather than a final standard. Broadly, DKIM2 is expected to:

  • Bind signatures more tightly to a message's intended delivery, so a signed message cannot simply be replayed to unrelated recipients.
  • Record and sign modifications made by legitimate intermediaries, so forwarding and mailing lists no longer silently break authentication — folding in the problem ARC was created to solve.
  • Cover more of the message and its transport path cryptographically than the original DKIM does.

Because the specification is not finalized, the DNS record format, tag names, and cryptographic parameters for DKIM2 are still subject to change. We deliberately do not publish an example record here — presenting one before the standard settles would be misleading.

DKIM2 and DDMARC

DDMARC is tracking DKIM2 through the standardization process. As the specification stabilizes and mailbox providers begin to support it, we plan to add DKIM2 checking and reporting alongside the SPF, DKIM, DMARC, BIMI, MTA-STS, and TLS-RPT coverage DDMARC already provides. In the meantime, the strongest protection available today is a correctly configured DMARC policy at enforcement, backed by aligned SPF and DKIM. Check your domain's current email security posture to see where you stand now.

Frequently Asked Questions

Is DKIM2 available to use today?

No. DKIM2 is an early IETF draft, not a published standard. There is no finalized DNS record format and no mainstream production support from senders or mailbox providers yet. Deploying DKIM, SPF, and DMARC remains the way to authenticate your email today.

Will DKIM2 replace DKIM, SPF, or DMARC?

Not in the near term. DKIM2 is designed as an evolution of DKIM that addresses replay and forwarding weaknesses, while DMARC and SPF continue to play their roles. Even after DKIM2 is standardized, adoption will be gradual and existing authentication will remain necessary for years.

Does DDMARC support DKIM2?

Not yet — because the standard itself is not final. DDMARC is following DKIM2's development and plans to add support once the specification is complete and providers begin adopting it. Today DDMARC checks SPF, DKIM, DMARC, BIMI, MTA-STS, and TLS-RPT. Check your domain's email security posture.

How is DKIM2 related to DKIM replay attacks?

DKIM replay is one of the main problems DKIM2 is meant to address. Because a normal DKIM signature does not constrain who a message was sent to and stays valid indefinitely, attackers can resend a legitimately signed message to many recipients to ride on the signer's reputation. DKIM2 aims to bind signatures to a message's intended delivery so replayed messages no longer validate.

— Fin.
ShareX / TwitterLinkedIn
Free to start · 14-day trial · cancel anytime

From spoofed to enforced.

p=none
5 min
p=quarantine
Week 2
p=reject
Week 4–6

Billed when your 14-day trial ends · cancel anytime before then