DomainKeys Identified Mail
What is DomainKeys Identified Mail (DKIM)?
DKIM is an email authentication protocol that uses digital signatures to ensure messages weren’t
altered in transit. These digital signatures are public/private key pairs (like SSL
certificates) that are published as a TXT record for the organization’s domain as well as being
individually signed on each message that goes out from the email server, which recipient mail
servers then match against that public key to ensure it came from the actual sending domain.
When the individual email’s DKIM signature matches that of the sending domain’s public key, the
message is considered authentic and is let through.
However, any alterations to the message after it is signed this way breaks the encoding, showing
tampering and triggering a high risk score by the recipient organization’s email filter or
outright discarding of the message.
How does DKIM differ from SPF?
Both DKIM and SPF help verify the legitimacy of emails.
DKIM uses digital signatures to verify email content.
PF lists which servers are authorized to send for a domain.
Weaknesses: Why DKIM Alone Isn’t Enough
While DKIM does provide valuable email security protection, it has some limitations when used in
isolation.
1. Easily Setup Incorrectly: Incorrectly configured DNS records or
mismanagement
can quickly create vulnerabilities. You’d be surprised how often this occurs with such a complex
record entry, especially in regards to DKIM Tags, like the “L” tag.
2. Limited Scope: DKIM verification only ensures that email content has not
been
compromised. It does not authenticate the entire message nor prevent unauthorized use of the
domain in the “From” header.
3. Compatibility Limitations: Some email servers may not support or validate
DKIM signatures; these leave emails susceptible to danger and more reliant on SPF, DMARC and
MTA-STS to cover those gaps.
To bypass these restrictions, DKIM is most effective when used as part of a comprehensive DMARC
security strategy, which compensates for these gaps.
How does DKIM help my organization?
Domain Reputation
Both ISPs and popular email providers like Hotmail, Gmail and Yahoo Mail track email behavior
for spam and low bounce rates, coupled with high engagement, to validate who “good” senders are
and ensure their emails are far less likely to get stuck in a Spam folder somewhere, making sure
your messages are seen.
DKIM improves domain reputation by establishing a commitment to security that these same ISPs
and providers track.
Integrity Check
Ensures that the content of the email has not been altered during transit, meaning your client
gets what you sent them.
No randomly inserted phishing content or data-theft from malicious middlemen.
DKIM Tags
Interested in learning more about DKIM and the complex tag options it provides?
We’ve got a deep dive on it available here.
How DMARC Works Alongside DKIM
The limitations of DKIM are addressed when integrated as part of a layered approach with DMARC.
Authentication
Alongside SPF, DKIM serves as one of the two primary authentication mechanisms used by DMARC. Unlike SPF, DKIM is not affected by email forwarding or a lookup limit.
Alignment Check
DMARC enforces an alignment check between the “From” header domain and the domain used for the DKIM signature. This prevents attacks where an attacker may use a legitimately signed email but alter the visible From address.
Reporting
DMARC provides detailed feedback on DKIM authentication results, helping domain owners identify errors present in their DKIM implementation.
Policy Enforcement
DMARC allows domain owners to specify how receiving servers should handle emails that fail DKIM authentication.
This suite of services from DKIM work in tandem with DMARC for a defense-in-depth approach to email security, providing protection, visibility and enforcement when operating in harmony.