DKIM (DomainKeys Identified Mail) is one of two methods available for mail receivers to identify the sender of an email according to the DMARC standard. DKIM creates a unique cryptographic hash for each signed mail message and inserts it into the email’s headers.
A receiving mailbox can use this hash to verify that an email was signed by an allowed sender for the domain and that the message was not tampered with in transit. Verification requires distribution of the sender’s public DKIM key to receiving systems, which takes place using DNS.
A Tricky Protocol to Implement
Like its cousin SPF, DKIM is highly particular. It depends on the precise content of a DNS entry, where a single character out of place can render a record ineffective.
Creating and updating records by hand is arduous and error-prone. DKIM key records are long strings of apparent gibberish, so hand entry into DNS leaves them especially prone to typos or truncation. Moreover, many DNS systems automatically insert spaces or carriage returns into these long key values, which if allowed to go uncorrected will break them.
These mistakes are notoriously hard to detect. Since key records contain no language that makes “plain English” sense, anyone editing a record is less likely to discover an inadvertent error. Furthermore, DKIM provides no way to determine if an email was successfully authenticated by the receiver.
Cryptographic Best Practices a Must
DKIM depends on administrators to create and maintain secure cryptographic keys. Cryptography is an area of specialized knowledge, and incorrect application can leave mail insecure and vulnerable to spoofing. In particular, keys that are too short or too old are common security holes.
Keeping track of DKIM keys can be tough. Companies often struggle to understand which keys correspond to which services and how old those keys are. The keys themselves don’t and cannot contain this information, meaning administrators require external tracking for them. Changes in personnel or misplaced tracking spreadsheets can leave you scratching your head about your keys and what they do.
Detection and reporting of compromised keys is nonexistent. The only way you may learn your cryptographic keys have been compromised by a bad actor is when a breach takes place. Plus, DKIM records incorrectly implemented in DNS might block delivery of legitimate messages.
Getting a Handle on DKIM Keys
ValiMail Pro™ offers visibility into and configuration of DKIM records without the difficulty of hand crafting DNS entries. The service examines and provides an integrated viewpoint on your DKIM keys. It identifies:
- Age of keys, including those nearing the end of their safe lifespan or beyond
- Strength of keys, including weak keys
- Detected configuration errors
You configure your DKIM keys directly from the ValiMail console. Its intuitive interface gives you clear visibility into the status of each individual key and its cryptographic strength. And it offers you a convenient “Warnings” section for at-a-glance examination of potential issues that need addressing.
The console enables you to add, remove, and change the configuration of DKIM keys with point-and-click simplicity. Each key includes a plain English description of its associated sender and supports user-entered descriptive text for better tracking of keys and their purposes. No more tracking keys in spreadsheets.