We have always heard about how email authentication protocols like SPF, DKIM, and DMARC can help in enhancing email security. But, have you ever given thought to how these individual protocols are implemented? There are always instances where technical complications in implementation can lead to several problems. To prevent common mistakes and their damaging repercussions, let’s understand how to configure DKIM properly.
DomainKeys Identified Mail (DKIM) is an email authentication protocol that effectively detects if an email has been sent from a forged sender’s address. It allows the receiver to verify whether or not an email sent from a specific domain has been authorized by that domain’s owner.
DKIM affixes a digital signature to every outgoing email. The receiving server can then verify the signature using the sender’s public key published in the DNS. A valid DKIM signature helps in making sure that certain parts of the email have not been modified since the signature was imprinted. The details of the public key are specified in the DKIM record.
HOW TO CREATE A DKIM RECORD FOR PROPER CONFIGURATION?
Setting DKIM record properly is an essential element to configure DKIM properly. A DKIM record is set through the following steps.
- Pick a DKIM selector
- Generate a private-public key pair
- Use DKIM TXT Record to publish a selector and publish key
- Tokenize every outbound email
WHAT IS THE DKIM SELECTOR?
A selector is said to specify an attribute for a signature, which is recorded in the DKIM header field. The DKIM selector is specified using the “s=” tag, which is stored in the DKIM-signature header. A query is generated on the receiver end DNS using “selector”._domainkey.yourdomain.
If one uses “krat22” as a selector, then the domain name will become “krat22._domain.example.com”.
DKIM TXT RECORD
In the DKIM TXT record, the “p=” tag specifies the public key that is stored in the DNS. The format for storing keys is given below.
CONFIGURE DKIM BY FOLLOWING THE BEST PRACTICES
Working alongside Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC), DKIM prevents malicious actors from spoofing your domains and sending fraudulent emails on your behalf. Serving as the best defense against spear-phishing and spoofing, DKIM is a boon to email security.
There are several instances where DKIM fails the check even when the email is legitimate. If this happens, even your legitimate emails will sometimes fail to deliver, causing you a lot of trouble. So, one must carefully implement DKIM and avoid making any mistakes. There are some focus points that are taken care of while configuring DKIM. They are listed below.
1. DKIM ALIGNMENT
The most common mistake in DKIM implementation is the signature alignment of senders and receivers. When DKIM alignment fails, it can adversely affect deliverability and even legitimate emails can land in the spam folder or be blocked entirely.
“The ‘d=’ value in the Header From address must match the d= value in the DKIM signature.”
An organization must make sure that all their emails are signed with one DKIM signature and that they are aligned correctly. Thus, it is important to configure DKIM.
2. RECORD DKIM PUBLIC KEY IN DNS
The DKIM public key is published as a DNS record. If the DKIM public key record is incorrect in the DNS, then it can cause problems during the authentication of your outbound emails.
This public key can span across several lines and consist of a combination of numbers, special characters, and both uppercase and lowercase letters. It can be tricky to manually type this record as it is while publishing the key in the DNS.
For this reason, most domain owners copy-paste the key into the configuration window. During this process, they often inadvertently add newline characters or whitespace, which breaks the public key.
If you want your organization’s emails to smoothly undergo and pass DKIM authentication, it is essential to make sure that your DKIM public key is published correctly in the DNS.
3. AVOID WIDESPREAD KEY SHARING
Every unique mail stream belonging to an organization or brand entity should have its own dedicated DKIM key.
DKIM is a little complex and proper key management can be time-consuming and tedious. That’s why domain owners often use the same key across many of their brands and mail streams, which is another one of the biggest DKIM mistakes.
A simplified configuration of shared keys can make implementation easier, which creates a critical vulnerability. That’s why organizations must avoid widespread sharing of a single DKIM record, rather they should make separate DKIM records for each domain or mail service provider.
4. KEY ROTATION
Key rotation refers to changing the DKIM key regularly, that is 3 to 4 times in a year. Key rotation helps you to make sure that even if a DKIM key is compromised, it can only be used for a short time. Once the existing key is rotated out and replaced by a new key, it becomes useless and cannot be exploited by hackers anymore.
5. KEY STORAGE
Every DKIM key that is created and configured by the organization’s administrator is stored in a file. Thus, security becomes extremely important for all the storage where DKIM is saved. The best practice to secure the storage is encryption of a database. Also, this becomes a crucial part of key management and distribution.
DMARC, SPF, AND DKIM SHOULD BE USED TOGETHER
Email spoofing and business email compromise are the leading cause of email-based attacks around the world. SPF, DKIM, and DMARC are used as email authentication standards to prevent such attacks. But the problem is that only 30% of the organizations implement all of them properly. There is a possibility of mistakes while implementing DMARC, so one should avoid making these mistakes. Then, what should be the best solution to implement these protocols?
TDMARC is a software-as-a-service-based platform that provides a highly interactive way to implement the DMARC policies. This tool also allows organizations to set SPF records. This feature is known as smart SPF, which implies that a user can modify and create SPF records easily. TDMARC provides a platform for users to set SPF records without going to DNS.
TDMARC provides organizations with a choice of changing and modifying the policies of DMARC. It also allows the administrators to view all the domains and email service providers that are associated with their organization. This tool allows users to view their DKIM records and ensure that DKIM is properly configured.