We'll cover what DKIM for email is, why your company needs it, how it works, how to set DKIM up, and additional ways to prevent email spoofing attacks.
What is DKIM?
First, let’s clarify what DKIM is in email. DomainKeys Identified Mail is a technique that uses your domain name to sign your emails with a digital “signature” so your customers know it’s really you sending those emails and that they haven’t been altered in transit.
Why Does DKIM Matter?
DKIM helps improve email deliverability and works with Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent email spoofing.
That's when a fraudster sends an email that looks as though it was sent from someone else by using a forged sender address. For example, fraudsters might send your employees emails that appear to come from your CEO. Or fraudsters might send your customers emails that appear to come from you.
By doing this, fraudsters can trick people into sending sensitive information—including login credentials and financial information. Email spoofing is used in phishing, spear phishing, and business email compromise attacks.
To learn more about how DKIM, SPF and DMARC work together, you can also read our ebook Getting Started with DMARC to protect yourself from email-based impersonations that can cause significant financial damage to your company, your customers, and to the general public. It can also obliterate trust in your brand.
In terms of deliverability, some email receiving servers expect emails to have SPF and/or DKIM signatures. Emails lacking them can be considered suspicious and may be marked as spam if they aren't blocked outright. DKIM can also improve deliverability for the emails you do send.
How Does DKIM Work?
DKIM uses asymmetric encryption to generate a public and private key pair. The public key is published as a special TXT record in the sending domain’s DNS . The private key is used to create your unique signature for each email.
Using your private key and the contents of the email, a security algorithm generates a unique signature as part of the email’s headers.
When a mail message is sent by an outbound mail server, the server generates and attaches a unique DKIM signature header to the message. This header includes two cryptographic hashes, one of specified headers, and one of at least some portion of the message body. The DKIM header also contains information about how the signature was generated.
When an SMTP server receives an email with such a signature in the header, the server asks the sending domain’s DNS for the public key TXT record. Using the public key, the receiving server will be able to verify whether the email was actually sent from that domain and not altered in transit.
If the check fails or if the signature doesn't exist, the receiving email service provider might mark the email as spam or block the sender's IP address altogether. This makes it harder for fraudsters to make emails look like they came from your domain address.
How to Set Up Your DKIM Record
You’ll need to:
- Install a DKIM package on your email server
- Create a public and private key pair
- Create a DKIM TXT record to publish the DKIM selector and your public key
- Test your DKIM setup to make sure that DKIM is up and running properly
By the end, you’ll have a DKIM record in your DNS that looks something like this:
<selector(s=)._domainkey.domain(d=)>. TXT v=DKIM1; (p=)<public key>
Specifically, DKIM records contain these tags:
- s= The selector record name used with the domain to locate the public key in DNS
- d= The domain to which the DKIM record is associated
- v= The version of the signature specification
- p= The public key
For example, here's what the DNS DKIM record looks like for Agari.com:
s1024._domainkey.Agari.com. v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQwPqBxkIOc1YVnJv3Occfbd3S68p
When you publish a DKIM record to your DNS, it may still be a few days before it takes effect. Once that happens, look up your DKIM record to confirm that it's working. But fair warning: While DKIM definitely helps, it won’t stop all email spoofing on its own. There are other steps you can take to complement, or in some cases, work in conjunction with DKIM.
Additional Steps for Preventing Email Spoofing
In addition to DKIM, adding SPF, DMARC, and BIMI will further help prevent email spoofing and improve email deliverability.
Sender Policy Framework (SPF) is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the "Make From:” email address. SPF allows receiving email systems to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email legitimate.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn't coming from a company's approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
Brand Indicators for Message Identification (BIMI) is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient's email client. Not only does this enhance brand visibility in crowded inboxes, it also verifies that the email is legitimate and comes from a trusted source.
Automate, Or Else?
Adding DKIM, SPF, DMARC or BIMI to a single domain takes just a few minutes. But applying them across all the domains in an organization's email ecosystem can be cumbersome, error-prone, and costly—especially when you're talking about thousands of domains across umpteen divisions and third-party email partners. Large organizations are advised to avoid a go-it-alone approach by using solutions such as Agari DMARC Protection.