DKIM2 Explained: What's Changing and What to Do
Security Boulevard, Tuesday, April 28th, 2026
DKIM2 addresses replay attacks, mailing list issues, and backscatter by signing envelope values and creating verification chains at each hop.
DKIM2 is a new email authentication standard designed to fix three major problems with DKIM1: replay attacks where spammers resend signed messages to new recipients, mailing list compatibility issues with DMARC p=reject policies, and backscatter from forged envelope addresses.
The solution introduces two new header fields-Message-Instance and DKIM2-Signature-that create a cryptographic chain at each hop in the delivery process, eliminating the need for DNS changes since it reuses existing DKIM1 keys.
During the transition period, messages will be dual-signed with both DKIM1 and DKIM2, allowing gradual adoption without service disruption, with major mailbox providers expected to begin experimental verification in Q4 2026.