Does DKIM break for forwarded emails and mailing lists?
As you know, DKIM catches alterations made to emails during their time in transit. It performs authentication checks by attaching a digital signature to the header of each email that goes from your domain. Upon reception, the receiving server verifies the sender’s legitimacy using the public key published in the sending domain’s DNS.
However, when someone forwards your emails, or you send them using mailing lists, DKIM breaks. So, let’s see why it happens and if there is a way for you to mitigate it.
How does DKIM work?
There are two major steps in DKIM’s process-
Signing
When someone sends an email from your DKIM-compliant domain, your server generates a DKIM signature using the private key. The signature is attached to the header of the outgoing email.
Image sourced from coingecko.com
Verification
The receiving mail server retrieves the public key from the sender’s DNS record and uses it to verify the DKIM signature. If the signature matches, DKIM passes, and the recipient’s mailbox considers the message as legitimate.
DKIM and forwarded emails
When an email is forwarded, it typically passes through an intermediary server. Here are the primary ways forwarding can impact DKIM:
Header modifications
Forwarding services may add or modify email headers. Since DKIM signs the email headers, any changes can invalidate the DKIM signature.
Body modifications
Some forwarding services modify the body of the email (e.g., adding footers). If the body hash changes, the DKIM signature will no longer match.
Re-signing
Some forwarders may re-sign the email with their own DKIM signature, which can help, but the original signature will still appear broken unless the intermediary’s changes are carefully managed.
DKIM and mailing lists
The following challenges occur when you send emails to members of a mailing list:
Header and body changes
Mailing lists tend to add list-specific headers (for example, list ID) and footers (for example, an unsubscribe button). This modifies both headers and body content, creating problems in the validation process.
Signature address changes
Some mailing lists make changes to the sender’s address and replace it with the list’s address. This can cause issues with DKIM if the new address doesn’t align with the domain used for the DKIM signature.
Re-signing by the mailing list
Some mailing lists may re-sign the email with their own DKIM signature. This helps ensure the email’s integrity from the mailing list to the recipient but does not preserve the original sender’s DKIM signature.
Why DKIM breaks
As explained above, the headers and body content of emails undergo alterations when they are forwarded or passed through mailing lists. DKIM’s primary purpose is to verify whether email content was altered in transit. If it detects any differences between the email sent originally and the version received by the recipient, the DKIM check fails.
This is exactly what happens when emails are forwarded or passed through mailing lists, causing DKIM to break. In short, modifications can invalidate the DKIM signature, leading to verification failures.
Mitigation strategies
You can prevent DKIM from breaking by employing these three strategies-
ARC (Authenticated Received Chain)
Authenticated Received Chain allows each intermediary to add their own authentication results and DKIM signatures, preserving the chain of trust.
Re-signing by Intermediaries
Forwarding services and mailing lists can re-sign emails with their own DKIM keys, ensuring the email remains authenticated, though this does not preserve the original signature.
Use of DMARC
DMARC can specify policies for handling DKIM and SPF failures, allowing domain owners to specify actions like quarantine or rejecting unauthenticated emails, reducing the impact of broken DKIM signatures.
A useful element of DMARC is its reporting feature, which enables you to monitor your email activities and detect illegitimate emails. Contact us to outsource your DMARC reporting and monitoring headache.