What is DKIM?
DomainKeys Identified Mail is an email authentication standard that uses public/private key cryptography to sign email messages. DKIM is used to verify that the email came from the domain that the DKIM key is associated with, and that the email had not been modified in transit.
DKIM is a stronger method of authentication than SPF because it survives most forwarding and you can ensure the message has not been tampered with in transit.
End users don’t have to manage DKIM. It’s configured by the mail administrator and enacted by the sending and receiving email servers.
How DKIM works
- First, the domain owner creates a cryptographic public/private key pair, and places the public key, formatted as a TXT record, in the domain’s DNS record. The DKIM header includes the domain name and a “selector” that specifies specific users, subdomains, services and the like.
- Each time an email user on that domain sends a message, a Hash is generated based on the contents of the message. That hash is then encrypted along with the domain’s Private key. Then this unique Encrypted Hash gets attached to the header of the email message.
- The receiving email server recomputes the Hash based on the contents of the email message. It then signs it with the Public key which is hosted in DNS.
- If the Hash value that the receiving server calculates matches the encrypted Hash in the email headers, the email passes DKIM authentication. This proves that the message hasn’t been tampered with since it was originally signed. The recipient knows exactly which domain and selector it was signed by.
What is a DKIM selector?
A selector is a value that is used to identify something unique such as a subdomain, a specific user, an office location, or a cloud service that sends email. Selectors make it possible to support multiple public keys per domain.
A single domain could have many selectors, each one for a different sender. This allows for many different services to send on behalf of the domain without all needing to share the same private key.
Why does DKIM store keys in DNS?
The aim of DKIM was to simplify key management so that there is no need to rely on third-party certificate authorities. DKIM stores the public key in DNS, so domain owners can manage the public keys themselves.
Using DNS allows domain owners to authorize specific senders, by placing public keys in separate selector records in DNS.
DKIM has a number of limitations that make it less than ideal for preventing phishing attacks. Because of the limitations, attacks could be executed from anywhere in the world and the domain owner could have no clue. Here are some reasons why:
- Mismatched signature: A phishing message can contain a perfectly valid DKIM signature that comes from a completely different from the domain shown in the From field. The most important address is the domain in the From field. This is what humans use to determine who or what a message is coming from.
- Key security: If an attacker acquires a domain’s private key, he or she could start signing messages “as” that domain, and they would pass DKIM validation perfectly.
- No connection: DKIM signatures do not require any kind of connection to the mail servers controlled by the domain owner.
Challenges in implementing DKIM
DKIM key management is vital for providing true security and protection. Email senders need to understand the significance of different DKIM key lengths (longer keys are more secure). Since the Public DKIM keys are hosted in DNS, management can be difficult. DKIM keys are long strings of random appearing data and are easy to get wrong in DNS. Even a simple copy/paste issue will cause legitimate email messages to fail DKIM.
Managing DKIM keys
Domain owners need to track the age of specific DKIM keys so they can rotate them regularly. In many cases, this is not happening. And while senders could manually create individual DKIM key records for each email service they use, they often don’t, meaning all services use the same key, making tracking impossible.
For domains using multiple cloud sending services, a separate set of DKIM keys should be used. Otherwise an error in importing keys into DNS can block all services using that key pair.
Making the best use of DKIM
DKIM offers strong security in the right context. We recommend only using DKIM in the context of DMARC, which adds the requirement of Alignment. Alignment means that in order for SPF or DKIM to be used to pass DMARC, the domain in either the Return-Path: for SPF or the domain associated with the DKIM key are the same as the domain that the recipient sees in the From: address.