DKIM authentication helps to verify your messages to prevent spoofing emails sent from malicious campaigns

Spamming and phishing email campaigns are one of the oldest and most widespread types of cybercrimes. Building an email sender that includes malicious web links in an email is a simple method used by cybercriminals to dupe users into clicking malicious links. For example, an email coming from PayPal may not be considered malicious by ordinary users, but it could certainly do harm if it’s a spoofed email.

Therefore, it’s critical to protect yourself from falling prey to such email-based attacks. Domain keys identified mail, or DKIM for short, is an email security standard used to authenticate emails and ensure that email messages aren’t altered between the sending and receiving servers.

DKIM uses public-key cryptography to sign an email with the help of a private key before it leaves the sending server. The recipient server then uses its public key for the domain’s domain name system (DNS) to verify the source of the received message. Once the signature is verified and it passes through the public key of the recipient’s server, then the message is considered authentic.

What Is DKIM? A Domain Keys Identified Mail Definition

Domain keys identified mail is an email authentication technique designed to detect email spoofing. DKIM is often used for preventing emails from being considered spam or phishing attempts. In addition, it’s one of the open standard email authentications used for domain-based message authentication, reporting and conformance (DMARC) alignment.

domain keys identified mail definition
In other words, DKIM is an email authentication standard enables senders to link their domain names with the emails they’re sending, using cryptographic authentication. As a sender, what this does is help you prove the legitimacy of emails from your company’s domain to the email recipients’ mail servers and/or clients.

According to Kaspersky, DKIM was conceptually developed as DomainKeys in 2003 by someone working at Yahoo (Mark Delany). At the same time, Cisco was working on their own project — Identified Internet Mail (IIM). Years later, the two authentication techniques were eventually merged and registered by the Internet Engineering Task Force (IETF) as RFC 6376. Soon, all leading tech giants like Yahoo, Microsoft, and Google began to verify incoming email messages with DKIM signatures.

What Is a DKIM Signature?

A special digital signature is a critical element of the DKIM email validation process. A DKIM signature is a header that is inserted into an email message. The header contains values that allow a receiving email server to validate the message by looking through the sender’s DKIM key to verify the signature, which is in an encrypted format.

Below is an example of a DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=yourdomain.com; s=google;
h=from:content-transfer-encoding:subject:message-id:date:to:mime-version;
bh=M8ekcjhbGeOegZkwViLQ8B7I9vFIen3+/o=;

b=j0kFhYGacfuA9/gw7n2PAzhl2bW^UtSpap9rL4c0Z&5qHop8jsli76NoMuVDyG2Si/qIL0OaruO3oyGlshHo6o0427idWmbx95a0E$C03pqXWfEfDP8QyQWPX35vh773n6VMDF5

A DKIM signature’s header contains other information for automating the process. For instance, in the above example, the header has tag=value parts. Among these, some notable tags are:

  • “d=” is used for signing the domain,
  • “bh=” is used for a hash that verifies the message by recalculating using the sender’s public key, and
  • “b=” is used for digital signature.

The signature is unique from one message to another, but some basic elements are common to every DKIM signature header.

How Does DKIM Work?

In a nutshell, DKIM works by attaching a DKIM signature in the headers of outbound messages. The email recipients’ email clients then use this header information to validate the messages’ legitimacy by comparing them to the information that you’ve added in your domain’s DNS records. Let’s explore the process of how DKIM works more in depth.

Whenever an inbound mail server receives an email, it first detects the DKIM signature and tries to find the sender’s public DKIM key within the DNS. The DKIM selector or variable within the DKIM signature is used to determine where to find the key. Once the key is found, it is used to decrypt the encrypted DKIM signature. Then it is compared with the values retrieved from that received email — if it matches, then DKIM is considered valid.

how dkim works

In other words, DKIM uses a private key to insert an encrypted signature into the message header. Here, the signing domain, also called the outbound domain, is inserted as the value d=field within the header. The verifying domain then uses d=field to look at the public key through DNS while authenticating the message.

A Step-By-Step Look at How DKIM Works

Okay, so now you have a general understanding of what DKIM is and how it works. Let’s break down the DKIM process more granularly so you can see how it works in terms of sending an email from your domain and what happens on the recipient’s end of things:

  • The domain owner creates a DKIM record for their DNS. As the domain owner, you publish a cryptographic public key formatted in the TXT record within the domain’s DNS records.
  • A DKIM signature attaches to the message. Whenever an email is sent through an outbound server, a unique DKIM signature header is generated and attached to the message. The header consists of two cryptographic hashes — one specifies the header, and the other is for the message body. The header also contains information about how to generate the DKIM signature.
  • The DNS’s DKIM record is checked for every inbound email. When an inbound mail server receives an email, it’ll find the sender’s public DKIM key within the DNS. The inbound server then uses that key to decrypt the signature and compare it with a newly generated version.
  • The email will move on to the recipient once the email is verified. Finally, if both the values match, the message will be proved authentic and unaltered.

Why Having a DKIM Record Matters in Email Security

Creating a DKIM record isn’t mandatory. However, if your emails include a DKIM signature in the header, they’re less likely to wind up in recipients’ email trash bins. Pretending you’re sending an email from a well-known and trusted domain is a common social engineering tactic. DKIM makes it harder to pull off this type of email spoofing from domains that use DKIM records

Furthermore, DKIM works with DMARC and sender policy framework (SPF) and is compatible with today’s email infrastructure. Therefore, it creates multiple security layers for domains that send emails. Likewise, mail servers that are not compatible with DKIM signatures can still receive signed emails without any issues. So, while it’s not mandatory, we strongly recommend that you add a DKIM record within your DNS whenever possible, as it will help to authenticate email from your domain.

Another benefit of DKIM is that ISPs use it for building domain reputation. Once you send an email with improved delivery practices such as high engagement, low spam, and bounces, it helps the domain build a good reputation and improves deliverability.

Another essential thing to note is that DKIM ensures that the message is original and hasn’t been tampered with, without encrypting the message content.

3 Major Benefits of DKIM for Businesses

Below are three key benefits of using DKIM to increase email security:

1. DKIM Allows Legitimate Messages to Bypass Spam Filters

Although DKIM isn’t considered an anti-spam method, it protects users against spam. Configuring DKIM helps prevent your emails from landing in the spam folder.

For instance, if you’re running an email marketing project and emails are sent to a massive list of recipients, using DKIM will increase the likelihood of your emails getting through, rather than being marked as phishing emails or spam.

2. DKIM Helps to Prevents Phishing Messages From Making It to Your Inbox

Spam filtering isn’t foolproof; it can’t detect or flag 100% of all suspicious emails. However, DKIM will help by checking the email you received beyond what traditional email filters can manage. Likewise, Google recognizes DKIM as an anti-phishing technology because it provides an additional layer of defense against phishing attempts. However, it’s best to pair it with SPF and DMARC for greater email security.

3. Boost Domain Authentication Reliability & Email Success

When you employ DKIM on your company’s domains, you’re more likely be viewed as a reliable email sender and your emails won’t be considered spam by your users. So, authorizing email messages using DKIM boosts your email deliverability. Therefore, there’s a high possibility that your emails will end up in their inbox and not in the spam folder.

Likewise, DKIM also helps in increasing your email click-through rate (CTR). Whenever you attempt to reach your email subscribers using email advertising or through a newsletter, if there’s a layer of trust within your signature, there’s a higher chance of users clicking links without fear of becoming victims of phishing attacks.

How Is a Signed DKIM Message Verified?

The DKIM verification process isn’t overly complicated. It boils down to making sure that information in the email header and digital signature match the domain’s DNS records. According to postmarkapp.com, the server uses the following information to check this info:

  • “d=” tag to check the sending domain’s DNS records, and
  • the “s=” tag to select the appropriate DKIM key.

Here’s what the public key looks like:

20130519032151pm._domainkey.yourdomain.com. 1234 IN TXT “k=rsa\;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCSGLvJw6sZ5YEeFe5tl6D7h6IiE1J5kmMH6TEpG99BIHDuXg3vz/qRblKa0WcbI4SLDwsMkq17VheGt7ZZANqrCjcieHkKC8u52h5mezNFHRcKiOpr06o8PfkbqQsCX58ZpALcH0S1aQb6zkpebYsA111l1pGv5qlKvsbJ9t+9jwIDAQAB”

Once the DKIM signature is validated, the recipient’s server tries retrieving the sender domain’s public key to decrypt the sent encrypted hash. The receiver’s mail server computes it with its own hash. If both hash values match, then the message is verified and allowed to move on to the recipient’s inbox.

How Is DKIM Used in Practice?

Once the DKIM signature is generated with the help of the mail transfer agent (MTA), it creates a unique string of random characters known as a hash value. This hash value (or hash digest as it’s sometimes known) is stored in the listed domain.

How to Add a DKIM Record to Your Domain

It doesn’t matter which type of mail server or email provider you use, some steps to set up DKIM remain unchanged. For example, you’ll require a private key stored in a safe place, and you’ll need a shared public key within the domain’s DNS records. Furthermore, with the help of a special format, DKIM also uses TXT records.

It’s good practice to change your keys periodically. According to the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), you should change your DKIM keys at least every six months. Once you change your DKIM keys, you should also revoke your old keys as part of that security process. So, an easy way to manage is by simply adding new keys and removing the old keys’ DNS record for the domain after a few days.

How to Verify That DKIM Is Set Up Correctly

Once you set up DKIM for an email service, you should send a message to the email address managed by you to determine whether the DKIM-Signature and Authentication-Results headers confirm whether DKIM is passed successfully or not.

You can also use DMARC reports to verify whether the sent message through the domain is authenticated correctly with DKIM and SPF. DMARC monitoring services process the reports for users and provide a detailed report of DKIM, SPF, and DMARC results for emails sent from the email providers you make use of.

How to Know Whether DKIM Is Working

You’ll have to test the DKIM settings of your domain. You can use a free diagnostic tool like DKIM Record Checker that will provide you all the information you need to know whether your DKIM is working correctly or not.

How to Read the DKIM Header

Email clients have different ways to view the message’s raw header. Let’s consider how you can do this in three mail email clients:

  • In Gmail, you’re required to select the Show original option from the context menu (⁝) to the top right side of the message.
  • In Mac’s Mail app, you’ll have to go to View >> Message >> Raw Source.
  • In Outlook, right-click the message and select the option View Source.

Once you access the raw message headers, find the DKIM-Signature header to verify the DKIM key used for signing the message. The Authentication-Results header provides the results of the DKIM checks carried out by the receiver’s mail server. Here’s an example of how this looks from postmarkapp.com:

Authentication-Results: mx.google.com;

       dkim=pass [email protected] header.s=google header.b=”ga9/RuJg”;

       spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];

       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=wildbit.com

Can You Have Multiple DKIM Records?

Yes, one single domain can have more than one DKIM record within the DNS. However, all the DKIM keys will have different sectors added to the DKIM signature of a message.

selector1._domainkey.example.com

selector2._domainkey.example.com

Do You Require DKIM?

While DKIM, DMARC and SPF aren’t technically requirements, using them is strongly recommended. If you run a business and send commercial or transactional emails, implementing DKIM and one or both of the other types of email authentication methods to verify that email is legitimate and coming from you or your business (not any malicious third party) is ideal.

Why Should You Use DKIM for Email?   

Below are four definite reasons why you should implement DKIM for emails:

  1. Serves as a foundational email security and authentication technique.
  2. Increases email deliverability and domain reputation or your messages to avoid email spam and junk filters.
  3. Protect the integrity of the messages so email recipients know whether they’ve been tampered with.

Wrapping Up This Primer on DomainKeys Identified Mail

DKIM is an essential email authentication technique that helps detect email spoofing, spam, and phishing. By implementing DKIM, you can rest assured that your email won’t be considered spam or end up in the recipients’ junk folders.

We hope this article has answered your questions on why you should implement DKIM, its importance, and how it works. Good luck!

Stop bad guys from hacking your website!

Get DigiCert Secure Site Pro OV SSL that includes a vulnerability scanner, malware detector, PCI scanners, website backup, multi-domain security, and many more advanced security tools.
Shop Now