Domain Keys Identified Mail, or DKIM, is a highly regarded email security system that can be used to independently authenticate the contents and sender of an email that uses it.

DKIM was developed and is widely deployed as an email server anti-spam mechanism, including on Gmail.com and HillaryClinton.com. DKIM-enabled mail servers cryptographically sign the emails they relay so that the recipients' mail servers can authenticate them. DKIM has the beneficial side-effect of causing messages to become "cryptographically non-repudiable"; that is, after the email has been sent, the sender cannot credibly repudiate the message and say that it is a forgery. A DKIM mail server creates a cryptographically strong proof attesting to the authenticity of the email, which it adds to each of the headers of each email it sends. This cryptographic proof can then be tested by anyone who obtains a copy of the email.

In the Podesta email archive, many of the politically significant emails use DKIM authentication, including several contentious emails which some politicians have attempted to repudiate. These mails are, in fact, signed by HillaryClinton.com's email provider, Google. This authentication is on top of the journalistic validations of the email archive already carried out by WikiLeaks.

For example, an email that DNC Chair Donna Brazile falsely claimed to be "doctored by Russian sources" is in fact validated. Similarly validated is the email referencing a future appointment of Tim Kaine as Vice-President of the United States, which Mr Kaine publicly attempted to allege was fake. Both these emails have been secondarily validated by Google as being sent, with the content exactly as published by WikiLeaks.

You can see on our pages a notice when an email has additional validation through DKIM. What does this mean? It means that the content of the email has been independently verified to be authentic in its entirety and this verification process can be performed by anyone. Most DKIM- authenticated emails are essentially indisputable.

You can see the DKIM signatures on emails that have them by clicking on the "view source" tab and looking at the email's headers for "DKIM-Signature:", for example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to:cc:content-type; bh=LMXa7c2eNKxvY4PrcbVDYCrY8kI1NpfrYq0D1CP9cM0=; b=cGVf2qJhuzMfD3qsH8q9pABcHFE3ll1t/sw8jT3fNJ.....==

Technical note:

Due to the complexities of modern email systems, and the fragility of cryptographic signatures, any formatting or character change to a message or many of its headers, no matter how small, will prevent a message from being validated. As a result, while the proof conveyed by a valid signature is strong (the message is authentic), the failure of the validation process has little meaning. It definitely does not mean the email is invalid, it just has not been positively validated in this way. The reasons vary by message. Many email systems routinely modify mail after it has been sent and before it is delivered, doing such things as adding footers, legal notices and updating certain mail headers or the message's content encoding. These include thousands of messages from Google Groups and other mailing lists, as well as Google Calendar reminders, and many mails that have been forwarded through one or more systems, including mini mail servers on portable devices, before arriving in Mr Podesta's Gmail inbox. Some of these types of message do validate, but large numbers of them do not. It is easy to independently verify, using other email collections such as your own inbox, that these types of emails are frequent. Emails with any of the headers "X-Google-Loop", "Resent-From", "List-Id", or "Sender" are disproportionately represented in this group. Keys also change over time or multiple keys may be active at one time due to mail server or DNS (mis)configuration. In some cases, non-validating messages can be made to validate by attempting to guess the suspected formatting or forwarding modifications to the headers or body and reversing them.

For more information, see http://www.dkim.org/ and https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/