Chapter 4: What is DKIM?

Introduction to DKIM

DKIM stands for Domain Keys Identified Mail and is a protocol for email authentication that allows recipients to verify whether an email was actually sent and authorized by the domain owner. In other words, DKIM will enable organizations to take ownership of the emails sent through their domains by giving them a digital signature that mailbox providers can easily demarcate. DKIM is used to detect phishing emails from genuine ones using DKIM signature as the primary means of verification. The DKIM signature is typically added as a message header and secured with cryptographic encryption.

The DKIM signature is usually invisible to end-users or email recipients and mainly functions on a server level. The receiving server identifies whether an email is signed with the DKIM signature of the organization whose domain name is used. Once the verification is done, the email with all its constituent messages and attachments is forwarded to the end user’s mailbox.

Domain Keys Identified Mail began in 2004 as a merger of two existing technologies – enhanced DomainKeys from Yahoo and Identified Internet Mail from Cisco. This new technology eventually became a widely adopted email authentication technique. DKIM is a testament to the integrity of a message’s content and verifies that its contents have not been changed in transmission. In addition, it decreases the chances of emails not being delivered – a problem that has cost companies many loyal customers.

What are DKIM Keys?

DKIM operates by using the public-key cryptography approach to detect a forgery in emails and verify whether an email message was sent from a legitimate mail server. The DKIM keys help spot spam and malware-embedded emails. DKIM involves the generation of a pair of private and public encryption keys for each server. While the private key is allotted to the sender’s server, the public key is placed on the domain owner’s DNS zone file to form a special TXT record. The private key helps the sender’s server generate the required DKIM headers for outgoing client emails. The public key, on the other, verifies the authenticity of the sender.

How Does DKIM Work?

DKIM adds digital signatures to the headers of email messages which are then validated against public cryptographic keys in the organizational Domain Name System (DNS) records. The following steps are involved in the process:

  • Any outbound mail server sending an email generates a unique DKIM signature which is attached as a message header.
  • Inbound mail servers receiving these incoming emails scan the sender’s public DKIM keys in the DNS.
  • The inbound server decrypts the signature and compares it with a newly generated one using this public key.
  • If both values match, then the message is considered to be authentic and unaltered in transmission.

Adding DKIM to DNS Records

Having understood the role of DKIM in ensuring email delivery and authenticity, let us now look at the process of adding DKIM to your DNS records.

  • The first step is to create a list of all domains that have your authorization to represent you and send emails to end-users on your behalf. This list could include sending services and domains like invoice generators, marketing campaign platforms, etc.
  • These domains should then be contacted to procure DKIM configuration and a copy of the public key.
  • The next step is to generate key pairs either internally (if your organization uses its own server) or using third-party tools that facilitate DKIM record creation. However, third-party tools should be used only after checking your organization’s security policy.
  • After generating your DKIM record, you must publish your public key to your DNS record. DNS providers often support text (TXT) records of up to 255 characters, but you need to contact your provider if you wish to increase the size.
  • The final step is to save the private key to your mail transfer agent or SMTP server.

Are There Any Downsides to DKIM?

While DKIM has its advantages and enhances the efficiency of email communication, it has its downsides. Some of these are:

  • Replay Attack: A replay attack allows adversaries to insert extra fields in a DKIM signed message and bypass authentication because the signature would match anyway. DKIM was primarily created to check the reputation of sender domains, and in that sense, it is still useful. But what happens if DKIM authenticates an email from a reputed domain that perhaps was altered during transmission by adversaries to include additional header fields? Replay attacks are a common problem with DKIM because it doesn’t sign all parts of an email message and only authorizes selected parts. All the adversaries need to do is add a few more header fields, and the DKIM signature will still match. This makes end-users of such forwarded messages vulnerable.
  • Whitelisting: Yet another limitation of DKIM is the risk associated with whitelisting. For efficiency purposes, companies often whitelist trusted domains based on their DKIM signature. Whitelisting a domain is the opposite of blacklisting it and implies the authentication of emails without any scrutiny or analysis. However, such practices often make organizations vulnerable to phishing attacks.

Ready to Start?

DMARC Report is designed for large scale reporting needs, with a combination of domains and message volume.