DKIM Explained: Enhancing Email Security

“According to Google, in 2016, 86.8% of inbound emails were signed with DKIM. In 2013, it was 76.9%.”

(Source: Google Security)

Organizations rely heavily on domain servers for getting email services and security measures associated with them. But email domain owners often come across several parameters that have led to the compromise of their email domain. These compromises can incur financial loss and data breaches. It is estimated that around 75% of cyber attacks begin with email. Business Email Compromise (BEC) attacks incurred a loss of $1,866,642,107 globally in 2021. (Source: Channel e2e)

In light of the new guidelines for email senders set by Google, effective from February 2024, it’s imperative for all organizations to implement DMARC. These guidelines, aimed at enhancing email safety and reducing spam, specifically require bulk email senders – defined as those sending over 5000 emails per day to Gmail – to adhere to best practices. This includes strong authentication protocols such as SPF, DKIM, and DMARC. The emphasis on DMARC is crucial as it guides receiving servers on handling messages that fail SPF or DKIM authentication, thereby securing email communication and safeguarding domain reputation.

By incorporating DMARC, organizations can ensure compliance with these updated requirements, reinforcing their email security and maintain a positive sender reputation. This move is essential not just for meeting regulatory standards but also for establishing a more secure and trustworthy digital environment for business communications.

There are numerous such cases where email insecurity has led to major cyber attacks in the organization. Thus, it has always been a concern of the cyber world to ensure the security of email and domain servers. In the same stream, it has become essential to incorporate email authentication protocols to instill email security.

What is DomainKeys Identified Mail (DKIM)?

DomainKeys Identified Mail (DKIM) is an email authorization mechanism that uses a signature-based technique to validate the email. The DKIM is one of the prominent email authentication techniques that infuse a digital signature with every email.

The primary objective of DomainKeys Identified Mail is to make organizations accountable for their email delivery and its authenticity. It uses the “public key cryptography” approach to make sure that email is sent from a verified source and detect forgery.

What is the Purpose of DKIM?

The main purpose of implementing DKIM is to improve the deliverability rate of emails. It prevents the organization from phishing and spoofing attacks. Additionally, it prevents cybercriminals from sending emails on the behalf of your organization’s domain. The DKIM alone has some challenges and limitations. That’s why they are implemented in addition to SPF and DMARC. All three of them together enhance the security of email services and domains. 

How Does DKIM Work?

The foremost activity of DKIM is to associate a series of email messages with a specific domain. A DKIM record is published on a DNS (Domain Name System) server to uphold the authenticity of the email. 

The procedure of DKIM authentication is carried out using a public key which is published on a DNS record. The next element is to allocate a private key with an email, which is included in its header. This private key is a unique digital signature, specifically for a sender which is used for comparison and matching.

What is DomainKeys Identified Mail Record?

DomainKeys Identified Mail utilizes the DNS TXT record with a special format. When a user sends an email, the record signs the email with a private key. Further, this private key is validated by the public key, which is available in the DNS (Domain Name System) in the form of a TXT record. The public key is used by the receiving server to verify and validate the email.

These records can be revoked or renewed on the basis of providers. The Sender Policy Framework (SPF) can register only 10 records while DKIM can store a huge number of records on the basis of multiple sending sources.

How is DKIM Implemented?

The DKIM record is implemented in the form of a unique DNS TXT record. This DNS TXT record contains a public key which becomes an identifier for the sender’s domain server. So, when an email is sent, a unique private key is associated with it. This key is matched and verified against the public key, which is already present in the DNS.

The public key in the DNS will become a prominent checkpoint for every receiving email to verify whether it is authentic or spoofed. The DNS records keep expanding based on new providers and senders, as DKIM has the excellent feature of storing an unlimited number of records.

The whole procedure is streamlined based on the creation of a public and private key pair when the record is being set up for a particular domain. The selector is a collection of texts that is lodged in the email header through the “s=” tag while the email is sent.

The sent email contains the signature in the header of the email and after it is received, the signature is extracted from the header. The header will contain domain names, which will be explored in the DKIM record. The DNS TXT record contains the selector that holds the signature which will be reverted by DNS to the mail server of the receiver.

In the DNS TXT record, this signature is supposed to be stored in the form of a public key. When both of the signatures are matched, then the email is authenticated.

Configure Keys Using Best Practices

For organizations and email domain owners, it is always a concern to decide upon the practices that are needed to follow to configure DKIM. These practices ensures the best mechanism to implement DKIM and record it in DNS.

How DKIM Helps in Identifying Email Forgery?

This authorization is accomplished with the help of public-key cryptography. A private key is a kind of digital signature that is digitally imprinted on every email domain. The receiving mail server performs the validation through the DNS which consists of a public key. 

This whole process authenticates the genuineness of the emails ensuring that it hasn’t been tampered with during the transition. Further, at the receiving end, the organization’s email server completes the process of authentication by verifying the public key with the hash of the private key.  

Benefits of DomainKeys Identified Mail

• DKIM helps in increasing the reputation of a domain
• It also improves the engagement rates and decreases the bounce rates
• It restricts all the emails that are forged and sorts them into spam
• The biggest advantage is the rundown of whitelisting and blacklisting the email domains
• Identification of forged email reduces the burden on desk work
• Automated channel of blocking most of the email phishing attacks

What is a DKIM Check?

DKIM check is a kind of investigative analysis of the domain. There are web-based applications that are used to check whether it is implemented or not. You can evaluate your domain on TDMARC’s DKIM checker. This tool verifies the presence of the DKIM record and validates it in the domain server.

Why DomainKeys Identified Mail Fails?

The designation of DKIM fails only after the checker tools have evaluated the domain and found that it is absent. There are possible reasons why it fails and some of them are listed below.

• Misalignment of DKIM signature from a domain with the sender (Header: From)
• Incorrect DKIM public key record published in the DNS
• No DKIM public key record was published.
• Domain DNS zone of the sender is unreachable.
• The length of the DKIM key is too short. In present times, 1024-bit and 2048-bit keys are supported.

How can one ensure DKIM is implemented appropriately and in a simpler way? Let’s dive into the Solution

Email Security is a Priority and TDMARC is the Solution

DKIM has been useful for a long time to enhance email security and domain reputation. Now, it has become an essential part of the email authentication standards in addition to SPF. DKIM and SPF authentication protocols are crucial for email security. Every organization must incorporate these protocols to ensure security of their email domain.

TDMARC is a popular and widely recognized tool that provides a sophisticated platform for implementing DMARC policies along with SPF. It has an interactive dashboard that allows you to hover across various aspects of DMARC policies and view extensive report on every domain. Thus, TDMARC allows organization administrators to control all the domains and associated mail servers.

Editor’s Note: This post was originally published in 9 February 2022 and has been partially revamped and updated for accuracy and comprehensiveness.