What is DomainKeys Identified Mail (DKIM)?
DKIM is an email authentication protocol that uses digital signatures to ensure messages weren’t altered in transit. These digital signatures are public/private key pairs (like SSL certificates) that are published as a TXT record for the organization’s domain as well as being individually signed on each message that goes out from the email server, which recipient mail servers then match against that public key to ensure it came from the actual sending domain.
When the individual email’s DKIM signature matches that of the sending domain’s public key, the message is considered authentic and is let through.
However, any alterations to the message after it is signed this way breaks the encoding, showing tampering and triggering a high risk score by the recipient organization’s email filter or outright discarding of the message.
How does DKIM differ from SPF?
Both DKIM and SPF help verify the legitimacy of emails. DKIM uses digital signatures to verify email content, while SPF lists which servers are authorized to send for a domain.
Weaknesses: Why DKIM Alone Isn’t Enough
While DKIM does provide valuable email security protection, it has some limitations when used in isolation.
Easily Setup Incorrectly: Incorrectly configured DNS records or mismanagement can quickly create vulnerabilities. You’d be surprised how often this occurs with such a complex record entry, especially in regards to DKIM Tags, like the “L” tag.
Limited Scope: DKIM verification only ensures that email content has not been compromised. It does not authenticate the entire message nor prevent unauthorized use of the domain in the “From” header.
Compatibility Limitations: Some email servers may not support or validate DKIM signatures; these leave emails susceptible to danger and more reliant on SPF, DMARC and MTA-STS to cover those gaps.
To bypass these restrictions, DKIM is most effective when used as part of a comprehensive DMARC security strategy, which compensates for these gaps.
How DMARC Works Alongside DKIM
The limitations of DKIM are addressed when integrated as part of a layered approach with DMARC.
Authentication: Alongside SPF, DKIM serves as one of the two primary authentication mechanisms used by DMARC. Unlike SPF, DKIM is not affected by email forwarding or a lookup limit.
Alignment Check: DMARC enforces an alignment check between the “From” header domain and the domain used for the DKIM signature. This prevents attacks where an attacker may use a legitimately signed email but alter the visible From address.
Reporting: DMARC provides detailed feedback on DKIM authentication results, helping domain owners identify errors present in their DKIM implementation.
Policy Enforcement: DMARC allows domain owners to specify how receiving servers should handle emails that fail DKIM authentication.
This suite of services from DKIM work in tandem with DMARC for a defense-in-depth approach to email security, providing protection, visibility and enforcement when operating in harmony.
Integrity Check
Ensures that the content of the email has not been altered during transit, meaning your client gets what you sent them.
No randomly inserted phishing content or data-theft from malicious middlemen.
DKIM Tags
Interested in learning more about DKIM and the complex tag options it provides?
We’ve got a deep dive on it available here.
How does DKIM help my organization?
Domain Reputation
Both ISPs and popular email providers like Hotmail, Gmail and Yahoo Mail track email behavior for spam and low bounce rates, coupled with high engagement, to validate who “good” senders are and ensure their emails are far less likely to get stuck in a Spam folder somewhere, making sure your messages are seen.
DKIM improves domain reputation by establishing a commitment to security that these same ISPs and providers track.