DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is an email authentication method used to prevent spammers from impersonating you as an email sender. The use of a forged return address in an email envelope is the most common technique used by fraudsters to send phishing emails. DKIM helps the receiving mail server verify that the email message is authentic and hasn't been tampered with during transit.
How DKIM authentication works
DKIM uses a pair of private/public keys to sign email messages. The public key is published in the domain's DNS. The mail server software is then configured to sign outbound email messages using a private key. The email message is signed with a digital signature as soon as it leaves your organization's mail server. The signature is embedded in the message header, which isn't normally visible to the end user. When the destination mail server receives the signed message, it uses the public key (published in the sending domain's DNS) to validate that the email message is legit and hasn't been modified during the transmission from source to destination.
Understanding DKIM record syntax
Like SPF, DKIM also requires a TXT record to be published in DNS. As mentioned above, DKIM requires a private key and a public key. The private key must be securely stored on the mail server, whereas the public key needs to be published in DNS as a TXT record. The following table shows an example of a DKIM record:
These are the key takeaways about the NAME field:
- The name of the TXT record starts with a selector name, which can be an arbitrary text string. The selector enables you to use multiple DKIM keys in your domain.
- The DKIM keys are stored in a subdomain named _domainkey, which is the next part, followed by a period (.).
- Depending on your DNS registrar, you might need to append the domain name at the end, so ultimately, the Name part of your TXT record becomes selector1._domainkey.company.com. Some domain registrars (like GoDaddy) automatically append the domain name at the end, so you only need to type selector1._domainkey in the Name field.
This is what you need to know about the DKIM field:
- The field starts with v=DKIM1, which indicates that we are working with a DKIM version 1 record.
- It contains multiple sections separated by a semicolon (;).
- The p= prefix is used to specify the DKIM public key in the base-64 format.
- Sometimes, you will see k=rsa, which denotes the public key type. RSA is the default key type in a DKIM record.
Generating DKIM keys
Most email service providers allow you to generate DKIM keys, so you don't have to rely on third-party tools. If you use any third-party tool or website to generate the keys, they may record the private key and could use it to send forged emails on your behalf, which defeats the whole idea of using DKIM authentication.
You could use DKIM Core to generate the DKIM keys for testing and education purposes. For a production domain, it is highly recommended to use the DKIM tool provided by your mail service provider, since it is the safest way.
If your provider doesn't offer such a tool, you can use the openssl command line tool to manually generate key pairs, as shown below:
openssl genrsa -out company.com.key 2048 openssl rsa -in company.com.key -pubout > company.com.pub
Once the keys are generated, open the company.com.pub file in a text editor to view the public key.
To publish the key in DNS, you have to remove the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" keywords and delete all line breaks to get a continuous string, as shown in the following screenshot.
Publishing DKIM records
Next, you have to log on to the DNS management page of your domain registrar and create a TXT record to publish the public key for DKIM. The following screenshot shows how to do this in the Cloudflare DNS.
Enabling DKIM authentication
Once your DKIM public key has been published in DNS, you have to enable DKIM authentication in your mail server software. The following screenshot shows how to enable DKIM signing in the Zoho admin console.
Validating DKIM authentication
After enabling DKIM authentication in your mail server, you can validate the DKIM record using the DKIM checker. You just have to enter the selector name and domain name to validate the DKIM record for your domain. The following screenshot shows what the validation results look like:
Alternatively, you could send an email from your domain to a gmail.com address and view the email headers to verify the DKIM status. In Gmail, open the email message that you sent from your domain, click the three dots in the right corner, and select Show original.
If everything is configured correctly, you should see PASS next to the DKIM and SPF fields.
Subscribe to 4sysops newsletter!
In my next post, I will discuss the difference between SPF and DKIM.