What is DKIM?
DKIM (DomainKeys Identified Mail) is an email authentication method that allows a domain to sign its emails with a cryptographic signature. This allows recipients to verify that the email was sent by the domain it claims to be from and that the email has not been altered in transit.
The way DKIM works is by adding a digital signature to the email header using a private key that is stored on the sending mail server. The recipient mail server can then use the public key, which is published in the DNS records for the domain, to verify the signature and ensure that the email has not been tampered with.
DKIM is often used in conjunction with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to provide a well-rounded email security strategy.
Why is DKIM Important?
Without DKIM (along with SPF and DMARC), it is relatively easy for an attacker to send emails that appear to originate from a domain they do not own. This is known as email spoofing and is a common tactic used in phishing attacks.
By implementing DKIM, domain owners can provide a layer of trust and authenticity to their outgoing emails in an effort to combat email spoofing and phishing attacks. This helps to protect both the domain’s reputation and the security of its messaging by ensuring that recipients can verify the authenticity of the emails they receive.
How Does DKIM Work?
When configured for a domain, DKIM includes a digital signature in the email header that signs the FROM field of the email. The signature is generated using a private key that is stored on the sending mail server.
Additional fields can be included in the DKIM signature to specify the headers that are signed, which will show as a key-value pair in the
DKIM-Signatureheader.The
From:field is a required field and must always be signed, but other fields can be included as well, such asSubject:,To:, andDate:.The more fields that are signed, the more difficult it is for an attacker to modify the email without invalidating the signature, but this can also increase the chances of legitimate emails being marked as invalid if any of the signed fields are genuinely modified in transit.
When the recipient mail server receives the email it will check for the presence of the DKIM signature header in the email. If this signature is present, the public key is retrieved from the DNS records for the domain and used to verify the signature.
The public key contains information about the hashing algorithm used (k=), the version of DKIM (v=DKIM1), and the actual public key itself (p=). All the other fields are optional except for v= and p=.
v=: This field specifies the version of DKIM being used. The current version isDKIM1.p=: This field contains the actual public key that is used to verify the signature. This key is typically a long string of characters that is encoded in base64 format. If this is empty then the public key has been revoked.k=: This field specifies the hashing algorithm used to generate the signature. The most common algorithm isrsa, which is the default option.t=: This field is optional and specifies the type of key being used. The most common value issfor a standard key, butycan be used for a key that is only used for testing.s=: This field is optional and specifies the service type that the key is being used for. The most common value isemail, but the default value is*, which means the key can be used for any service.h=: This field is optional and specifies the hashing algorithms that are allowed for the signature.n=: This field is optional and specifies a note or comment about the key.
If the signature is valid, the email is considered to be authentic and has not been altered in transit. If the signature is invalid or missing, the email may be flagged as suspicious or rejected altogether by the recipient, which can depend on the DMARC policy that is in place for the domain.
The failure of the verification process does not force a rejection of the email, but it will allow the recipient to receive the reason for the failure and take appropriate action.
Setting Up and Configuring DKIM
If you’re using a provider for your email services (e.g., Google Workspace , Microsoft 365 , or a third-party email marketing platform), they will typically provide instructions on how to set up DKIM for your domain, along with the necessary DNS records to add. Following their guidance and DNS record verification process is usually the easiest way to get started with DKIM.
On the other hand, if you’re managing your own mail services (e.g., using Postfix, Exim, or another mail server), you’ll need to generate a DKIM key pair (private and public keys) and configure your mail server to sign outgoing emails with the private key. You’ll also need to publish the public key in your domain’s DNS records.
Here are the general steps to set up DKIM:
- Generate a DKIM Key Pair: Use a tool like
opendkim-genkeyto generate a private and public key pair. The private key will be used to sign outgoing emails, while the public key will be published in your DNS records. - Configure Your Mail Server: Set up your mail server to use the private key to sign outgoing emails. This typically involves installing and configuring a DKIM signing service (e.g., OpenDKIM) and updating your mail server’s configuration to use this service.
- Publish the Public Key in DNS: Create a DNS TXT record for your domain that contains the public key. The record will typically have a name like
selector._domainkey.yourdomain.com, whereselectoris a name you choose to identify the key pair. - Test Your DKIM Configuration: Use online tools like MXToolbox to verify that your DKIM DNS record is correctly published and that your mail server is signing outgoing emails.
- Monitor and Maintain: Regularly monitor your email deliverability and DKIM signing status. If you rotate your DKIM keys (which is a good security practice), make sure to update your DNS records and mail server configuration accordingly.
- Implement DMARC: To fully leverage DKIM, consider implementing DMARC for your domain. DMARC allows you to specify how email receivers should handle emails that fail DKIM (and SPF) checks, providing an additional layer of protection against email spoofing.
