CodeNewbie Community 🌱

MariiaHlumilina
MariiaHlumilina

Posted on

DKIM Explained

What is DKIM?

DomainKeys Identified Mail (DKIM) is a digital signature added to every email sent from a given email address. It’s not a typical signature you’d expect to see on the bottom of a corporate email. As a matter of fact, normally, you don’t even see the DKIM. It’s a seemingly random set of characters hidden in an email’s source code — a place where people don’t usually look, but servers accepting incoming emails definitely do.

After all, DKIM is an industry standard for email authentication. Of course, adding a DKIM signature doesn’t guarantee delivery, but it significantly boosts the odds of a positive outcome.

Why use DKIM?

Imagine the following scenario. You’re sending a quick follow-up message to a potential investor after a meeting, “Yvonne, let me know if you would like to proceed with what we discussed earlier.” Some time goes by, and you never got a reply from Yvonne but you bump into her in another meeting and discreetly mention that email. Puzzled, Yvonne says, “Mark, I never heard from you back.”

There are many potential reasons for poor deliverability, but, as it turned out, Mark forgot to set up DKIM authentication for his email account. As a result, Yvonne’s server wasn’t quite sure if it was really Mark emailing her and discarded the message.

The main purpose of DKIM is to prevent spoofing. Email spoofing is changing the original message’s content and sending it from an alternative sender that looks like a trusted source. This type of cyber attack is widely used for fraud — for example, someone sending payment request messages from an email address that looks like yours (mark@whatevercompany.io vs. mark@whatever-company.io).

How does DKIM work?

DKIM signing and receiving happens in three steps:

  • The sender decides what to include in a DKIM record

As a sender, you can limit yourself to only certain parts of header fields (“From”, “To”, “Cc”, “Subject”, etc.), and can also go as far as including the entire header and body in DKIM. You can also choose to add some or all of the optional fields mentioned above.

Technically, the more specific details are included, the more reliable authentication will be. But you need to be careful with this too as even the tiniest details changed by your SMTP email server will lead to a failed DKIM authentication on the receiving side. Think, for example, about “forwarded by…” messages that are added to emails when forwarding them from email clients. If you include your entire body in DKIM, it will now inevitably fail as the body was just modified.

  • The DKIM is created and a message including it is sent

Once the server knows what to include in the DKIM and email sending is initiated, it starts hashing the content. You have already seen how “b” and “bh” tags looked in our example.

  • A message is received, and the server validates the DKIM signatures

Within seconds, a message is received by the receiving mail server, and it needs to make an important decision — whether to allow the email in or not. When it sees that a DKIM is included with the message, it immediately starts the validation process.

How do you add DKIM signature to your emails?

With Mailtrap Email API, you get DKIM records with a quarterly automated rotation that helps keep your email infrastructure secure.

How can you test whether DKIM was configured properly?

Once DKIM is added, make sure that you validate it with an online DKIM analyzer. Use, for example, MXToolbox or Mail-tester.com — the latter can be used to check SPF records simultaneously.

You can also just send a test email to your Gmail or Yahoo account and verify whether a message arrived with your DKIM signature yourself.

Once the message arrives, expand the email header with the triangle icon below the sender’s name. If the sender’s domain appears for both “mailed-by” and “signed-by”, the message was verified successfully with DKIM.

Three major misconceptions about DKIM

DKIM encrypts your mail

It doesn’t. DKIM’s primary concern is to verify and confirm that the message is intact. The hashes under “bh” and “b” tags offer protection from message modification and replay, including partial protection from identity theft and forgery. A passed DKIM verification test basically means that the email sent has permission to be sent from this domain and that the message content was not altered while in transit.

A DKIM signature can be forged since its details are available in DNS records

No it cannot be forged. DKIM is based on PKI (Public key infrastructure), which means a pair of keys is involved. One public and one private. While it is true that the public key is published in the DNS records (and is available for everyone to retrieve), the private key is kept only on the email service provider server. The private key stays secret and is used to sign messages. The public key cannot sign messages and is used only for verification.

DKIM saves you from spam once and for all

We wish. As DKIM digital signature only allows proving that the sender is authorized to send messages from the domain, and the message was not meddled with on the way, DKIM only lowers the chances of spammers using forged or stolen email addresses.

However, nothing stops them from buying a domain, setting up a DKIM record, and continuing with their spamming activities. In fact, this might even, in a certain way, legitimize spam.

Nevertheless, using a real domain name instead of a forged one can most likely minimize phishing attacks like when you receive a forged email from your “bank” asking you to confirm your credit card details.

DKIM key rotation: keep your DKIM security up to date

Although DKIM public 1024-bits keys are hard to crack and 2048-bit keys are almost impossible they are still published in the DNS records and thus might become a target of attack. Private keys (signing key) could also be stolen if the system where it is stored is hacked.

To mitigate the risks of compromising DKIM keys, you need to minimize the time they are actively used. The process of systematic replacement of the old DKIM pair of keys with the new one is called DKIM key rotation.

In general, the recommended key rotation period is from quarterly replacement up to every six months. The frequency of key rotation should be established by the organization individually, but most definitely, it’s a must in the workflow.

The process of key rotation can become quite complicated within companies that have multiple email streams, delegated subdomains, or streams sent on their behalf by third parties. Thus, to keep your email flow secure, the DKIM key rotation process should be planned ahead.

Now you know what is DKIM signature. You can read more on the Mailtrap BLog.

Top comments (1)

Collapse
 
codenewbiestaff profile image
CodeNewbie Staff

Hi there, it appears that this post contains affiliate links. We ask that posts including affiliate links also contain a clear disclaimer so that readers are aware. Here is some suggested language:

This post includes affiliate links; I may receive compensation if you purchase products or services from the links provided in this article.