We will discuss DKIM for email, what it is, why it is important, how it works and how to set it up.
What is DKIM?
Let’s first clarify what DKIM in email is. DomainKeys Identified mail is a technique that uses the domain name to sign emails. This digital signature lets customers know that you are sending them and haven’t been altered during transit.
Why is DKIM important?
DKIM improves email delivery and is compatible with Sender Policy Framework and Domain-based Message Authentication Reporting and Conformance. In addition, it protects against email spoofing.
This happens when fraudsters send emails that look like they were sent from another person using a fake address. Fraudsters can send emails to employees that appear to be from your CEO, for example. Likewise, emails sent to customers by fraudsters could appear to come from you.
By doing this, fraudsters can trick people into sending sensitive information–including login credentials and financial information. Email spoofing is also used to spear phishing and compromise email attacks against businesses.
Some email servers require that emails have DKIM and SPF signatures to ensure deliverability. If they don’t have them, emails can be deemed suspicious and marked as spam. DKIM can improve the delivery of any emails you send.
How does DKIM work?
DKIM uses asymmetric encryption to create a public-private key pair. The public key is published in a TXT record on the domain that sent the email. Then, your unique signature is created using the private key.
A security algorithm uses your private key and the contents to create a unique signature part of the email’s headers.
An outbound mail server creates and attaches a unique DKIM Signature header to each mail message. This header contains two cryptographic hashes: one for the specified headers and at least some of the message’s body. Information about how the signature was created is also included in the DKIM header.
SMTP servers will ask the sending Domain for the public key TXT records when they receive an email with this signature in the header. The public key will allow the receiving server to confirm that the email was sent from the Domain indicated.
The receiving email service provider may mark an email as spam or block the sender’s address entirely if the check fails. As a result, fraudsters won’t create emails that look like they are coming from your Domain.
How to set up your DKIM record
These are the things you’ll need:
- Install a DKIM package to your email server
- Make a pair of public and private keys
- To publish your DKIM selector, create a DKIM TXT Record
- To ensure that DKIM works properly, test your DKIM configuration
You’ll see a DKIM Record in your DNS by the end.
These tags are found in DKIM records specifically:
- s= The selector name that is used in conjunction with the Domain to locate public keys in DNS
- d= Domain to which the DKIM records are associated
- v= Version of the signature specification
- p= Public key
s1024._domainkey.emailauth.com. v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQwPqBxkIOc1YVnJv3Occfbd3S68p8E5BafsirMBaSPxqIgnzaxNSyPp8INEPL61cIRKo3u195Px5XHNwjEfq76BvDu7eUYXxY8zKcAS74heKAeyfpVaMFWHUzCoujPNzzorCIRtP5CuY+ILw+Vj1SKN6xlBWhouCSHWhOr/vcYQIDAQAB
It may take a few days for a DKIM file to be published to your DNS. To confirm that your DKIM record is working, you can look it up once that has happened. Fair warning: DKIM won’t stop all email-spoofing by itself. You can complement or, in certain cases, work with DKIM by taking other steps.
Additional steps to prevent email spamming
DKIM is not the only option. Adding DMARC, BIMI, and SPF will help to prevent email spoofing. It will also improve email deliverability.
Sender Policy Framework (SPF), an email authentication standard, allows domain owners to indicate which servers can send email to their Domain from the “Make From” email address. SPF allows email systems to query DNS to find the authorized servers for a domain. The receiver can accept an email message that arrives through an authorized server as valid.
Domain-based Message Authentication Reporting & Conformance is an email authentication standard. It acts as a policy layer to SPF and DKIM and helps email receiving systems recognize emails not coming from approved domains. It also provides instructions to email receiver systems on how to dispose of unauthorized mail.
Brand Indicators for Message Identification (BIMI) is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient’s email client. It increases brand visibility in crowded email inboxes and confirms that the email comes from a trustworthy source.
Automate, Or Else?
It takes only a few minutes to add DKIM, SPF or DMARC to a single domain. However, applying these to all domains within an organization’s email environment can prove cumbersome, costly, and error-prone. It is especially true when thousands of domains span multiple divisions and third-party email partners. Therefore, large organizations should use solutions instead of attempting to do everything yourself.
Source:https://medium.com/@rawatnimisha/dkim-for-email-what-it-is-how-it-works-and-how-to-add-it-571d0e0d0c18