As email-based cyber attacks continue to grow, organizations everywhere pay more attention to authentication techniques to secure their email environment. One such approach, DomainKeys Identified Mail (DKIM), is already an established standard.
What is DKIM? And how does DKIM work? These are two of the critical questions this article will address. So if you represent an ISP or MSP, or an organization that simply needs more information about DKIM, this article is for you.
What Is DKIM?
DKIM is an email authentication technique that protects email senders and recipients from forgery, spoofing, and phishing attacks and prevents the delivery of harmful spam emails. When DKIM is applied, recipients can verify that they have received emails from an authorized mail server.
The authentication process works by adding a unique digital signature to email headers, which then reveals which domain was used to sign the email. Then it is validated against a public cryptographic key in the organization’s Domain Name System (DNS) records. Inbound mail servers use the public DKIM key to decrypt the signature and compare it against a fresh version. If these values match, it proves the message is authentic and unaltered in transit.
How Does DKIM Work: A Detailed Process
In the early days of email, there were very few ways to verify and authenticate a sender’s identity. As a result, nearly all spam, phishing scams, and email-based viruses did so using falsified sender information. Although these problems have not disappeared, it is now possible to mitigate their impact with DKIM. It is now a widely-adopted email authentication technique, and leading email server software like Axigen check incoming email for DKIM signatures.
DKIM supplements SMTP, the basic protocol used to send email. It allows a sending organization to take responsibility for a message to be validated, verified, and therefore trusted by the recipient. For this, it relies on public-key cryptography.
Here is the step-by-step process of how DKIM works:
- The domain owner publishes a cryptographic public key. This is a specially-formatted TXT record in the domain’s overall DNS records.
- When a message is sent by an outbound mail server, the server generates and attaches a unique DKIM signature to the email message header. The signature is generated in a unique textual string called a “hash value” and is encrypted with a private key. Only the sender has access to this key.
The email header contains information about how the signature was generated. It also includes two cryptographic hashes, one of the specified headers, and one of the message body. Once these elements in the DKIM signature are set, they must remain unchanged. Otherwise, the DKIM validation will fail.
- When the recipient’s inbound mail server receives an email, it runs a DNS query to search for the sender domain’s public key. The variables provided in the DKIM signature help determine the key location.
The inbound server then uses this key to detect and decrypt the message’s DKIM signature back to the original hash values. These values are compared to the new values retrieved from the received mail. If they match, the DKIM authentication was valid, and the message can be proved genuine and not forged or modified in transit.
What Is a DKIM Signature?
A DKIM signature header is intended for automated processing and therefore includes a lot of critical information. This includes values or tags that enable the inbound mail server to validate the email. It does this by looking up a sender’s DKIM key and using it to verify the encrypted signature. Validation using DKIM signatures is always done at the server level; signatures are not visible to end-users.
In a DKIM signature header, important “tags” include d=, which represents the signing domain, and b= for the actual DKIM signature. Although DKIM signatures vary from message to message (in other words, they are unique by definition), these essential elements are present in every signature header.
The Value of DKIM: Does Your Organization Need It?
In the modern era, email continues to play a critical role in enterprise communications. It is also a vital tool for customer acquisition, retention, and support. These are just a few reasons organizations must guard against email-related challenges like spam, spoofing, and of course, phishing.
Email security starts with email authentication, so organizations need to go beyond basic questions like “What is DKIM?” and “How does DKIM work?” and to get more to the point with: “Do I need DKIM?”
The answer to this last question is an unequivocal “Yes”. For any business that sends out commercial, transactional or relational emails to its stakeholders — internal or external — some form of email authentication is crucial. Moreover, if you don’t have DKIM, virtually anyone can send an email from any server and “spoof” your name to make it look like it’s coming from you.
DKIM provides a robust authentication mechanism that protects the firm from phishing and spoofing attacks. It enables the sender to ensure that business-critical emails reach the right recipients’ inboxes and don’t end up in their spam folders. It also helps recipients verify that an email they receive from an organization is actually from them. Thus, DKIM promotes mutual trust, enhances relationships, and boosts brand reputations.
To define a more complete email authentication framework, DKIM should be implemented with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together, these methods prevent email spoofing and provide powerful and reliable email deliverability and security — advantages that every modern organization now needs.
Did you find this article useful? Did it answer your questions about DKIM? If yes, do share it with others so they can learn too!
Learn more from Axigen:
- How to configure DNS records for correct email functionality — FQDN, MX record, PTR record, SPF, DKIM, DMARC
- How to preserve the message headers used by the DKIM signing when using Axigen as a mail gateway
- How to configure Axigen to perform DKIM signing when Axigen is used as a mail gateway
- DomainKeys & DKIM Advanced Configuration of Axigen