The original DKIM standard has been the backbone of email signing since 2011. DKIM2 is the first significant update – addressing structural weaknesses that have persisted for over a decade.
Sendmarc is tracking the standard closely and will align its platform with DKIM2 once it’s finalized.
DKIM is an email authentication standard that uses a cryptographic signature to verify that a message hasn’t been altered in transit.
When an email is sent, the sending server attaches a digital signature to the message header. The receiving server retrieves the sender’s public key from the DNS and uses it to verify the signature. If the signature is valid, the message is confirmed as unmodified.
DKIM works alongside SPF and DMARC to form a complete email authentication framework.
DKIM2 is a proposed successor to the original DKIM standard (RFC 6376), currently being developed by the Internet Engineering Task Force (IETF). The original specification was published in 2011 and has been widely deployed ever since – but it has structural weaknesses that weren’t fully understood at the time of publication.
DKIM2 tackles those weaknesses directly. It addresses replay attacks and backscatter, while making email signing more flexible, consistent, and efficient.
Most of the implementation effort falls on the services that send email, such as Sendgrid, Amazon SES, Mailchimp, and Microsoft.
For domain owners, existing DKIM keys will continue to work. Backward compatibility is a deliberate design choice, and one that makes adoption achievable from day one.
For DMARC services like Sendmarc, stronger and more reliable DKIM signing means better signals – improving the accuracy of reporting and enforcement.
DKIM2 introduces several structural and cryptographic improvements. Below are the most significant changes security professionals and domain owners should understand.
DKIM2 standardizes which headers must be signed, ensuring all critical headers are consistently covered. This reduces confusion and closes gaps that partial signing leaves open.
DKIM2 aims to address replay attacks by binding messages to their intended recipients and recording when each message was sent. Together, these additions allow receiving systems to detect and reject signed messages being replayed to recipients.
DKIM2 addresses backscatter by sending the DSN back to the server that last handled the message. This will help ensure that messages are sent to the correct address. This also makes delayed rejection safer, giving receiving systems more time to analyze messages before accepting or rejecting them.
DKIM2 improves how bounces and errors are handled by enabling mailing lists and security gateways to record the changes they make – and reverse them. This simplifies verification at the receiving end and makes it easier to spot tampering attempts.
DKIM2 supports multiple cryptographic algorithms – including RSA, elliptic curve, and potentially post-quantum – making it easier to move away from outdated algorithms without disrupting email delivery. It also allows more than one signature to be included in a single DKIM2 header, so if one algorithm fails, the other can still pass verification.
DKIM2 is expected to reduce the number of cryptographic computations. When a message hasn’t been altered by any intermediary, only the first DKIM2 signature would need to be verified, making the process faster.
Standards like DKIM2 typically begin as discussions at MAAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), where email operators collaborate on emerging challenges before proposals move to the IETF and ultimately become published RFCs.
The working group is made up of engineers and operators from large email providers and intermediaries – organizations vested in resolving the weaknesses that DKIM2 addresses, which gives the proposal strong practical momentum.
DKIM2 has been adopted by the IETF’s DKIM working group and is under development. It still needs to be submitted, edited, and reviewed before it can be published as a standard.
The industry has a DKIM2 timeline. From Q4 2026, providers, including Google and Yahoo, will begin experimental verification. The findings will likely be visible through DMARC aggregate reports and Authentication-Results headers. Production rollouts are set for Q1 2027. Domain owners don’t need to take any action today – existing DKIM implementations remain valid.
Sendmarc is monitoring the DKIM2 proposal as it progresses. When the protocol is finalized, we plan to align our platform with the updated specification so domain owners can adopt the new standard without complexity.
DKIM2 addresses longstanding weaknesses in how emails are signed and delivered. The changes address real operational and security challenges.
Managing DKIM configuration across multiple domains and sending platforms is operationally complex. A purpose-built platform ensures your signing infrastructure stays accurate and current as standards evolve – without increasing the burden on stretched security and IT teams.
Prepare your email environment for what’s next
DKIM2 is still in development, but the security gaps it addresses are real and present today. Sendmarc provides unified visibility into your DKIM, SPF, and DMARC configurations – so you’re protected now and ready for what’s next.
DKIM2 is a proposed update to the original DKIM email authentication standard. It addresses replay attacks and backscatter, while making email signing more flexible, consistent, and efficient. It is currently an Active Internet Draft.
No. DKIM2 is still in development, and no changes are required for now. Existing DKIM records remain valid. When DKIM2 is finalized as a standard, adoption will most likely be a phased process, and Sendmarc will help domain owners navigate the transition.
A DKIM replay attack occurs when an attacker captures a valid DKIM signature from a legitimate email and reuses it on a different, fraudulent message. Because the original DKIM standard doesn’t bind signatures to their intended recipients, this attack allows malicious emails to carry a technically valid signature – bypassing authentication checks.
DKIM2 is still an Active Internet Draft. Before publication, it must pass through submission, editing, and formal review. A rollout timeline is now in place, with experimental verification expected from major mailbox providers in Q4 2026 and production deployments set for Q1 2027. Sendmarc is monitoring progress and will align its platform with the standard once it’s finalized.