What is a DKIM record?
A DomainKeys Identified Mail (DKIM) record is a type of DNS record that is used to enable DKIM email authentication. It contains a public key that can be used to verify the authenticity and integrity of emails sent from a domain.
Example
Here is an example of a DKIM record for the domain “example.com” using the selector “dkim”:
dkim._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYKcNow4xqnJdYXcF7ouD1nX8X9Ld1J1z8Bm7L5o6sC7lYXJcYgV7c9r6I4g6N/LSdzRVJEq3+j3ZqPY3b/D3y+Gt0L/E1H+jNvR+G8Kv1ZpO8YlhFyHCQQZBcJg3D8ZKLHnZz+ZBdJQZ2EZbVcO9I7c9MbLnkEKBBkcDUZoKe2vQIDAQAB”
This record specifies that the domain “example.com” is using DKIM with a selector of “dkim” and a public key that begins with “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYKcNow4xqnJdYXcF7ouD1nX8X9Ld1J1z8Bm7L5o6sC7lYXJcYgV7c9r6I4g6N/LSdzRVJEq3+j3ZqPY3b/D3y+Gt0L/E1H+jNvR+G8Kv1ZpO8YlhFyHCQQZBcJg3D8ZKLHnZz+ZBdJQZ2EZbVcO9I7c9MbLnkEKBBkcDUZoKe2vQIDAQAB”.
The exact format of the DKIM record will depend on the DNS server software you are using. Consult the documentation for your DNS server for more information on how to create and publish DKIM records.
A DKIM record is typically stored in the DNS zone file for the domain and has a name that begins with “dkim” and ends with the selector, which is a name that identifies the key. The record also contains other information about the email signing configuration, such as the list of email headers that are covered by the signature.
To use DKIM, the email sender’s domain needs to have a DKIM record published in the DNS, and the email server needs to be configured to add the DKIM signature to outgoing messages. When the email is received, the receiving server can use the public key in the DKIM record to verify the signature and ensure that the message is legitimate.
What is a DKIM signature?
A DomainKeys Identified Mail (DKIM) signature is a digital signature that is added to the header of an email message to enable DKIM email authentication. The signature is used to verify that the email was actually sent by the domain it claims to be sent from, and that it hasn’t been modified during transmission.
To create a DKIM signature, the email sender’s server uses a private key to generate a unique message digest for the email, which is then encrypted and added to the email header as the DKIM signature. The private key is kept secret, and a corresponding public key is published in the DNS records for the domain.
When the email is received, the receiving server can use the public key to verify the signature and ensure that the message is legitimate. This helps to protect against spam, phishing, and other types of email fraud
How does DKIM work?
Here is a summary of how DomainKeys Identified Mail (DKIM) works:
- The email sender’s server generates a digital signature for the email using a private key. The signature is a unique message digest that is encrypted with the private key.
- The email server adds the DKIM signature to the email header. The signature includes the domain name of the sender, the selector (a name that identifies the key), and the message digest.
- The email is sent to the recipient.
- When the email is received, the receiving server retrieves the public key for the sender’s domain from the DNS records.
- The receiving server uses the public key to verify the DKIM signature. It does this by decrypting the signature with the public key and comparing the result to its own calculation of the message digest. If the results match, it means that the email was sent by the domain it claims to be sent from and has not been modified during transmission.
- If the DKIM signature is verified, the email is considered to be legitimate and is delivered to the recipient’s inbox. If the signature is not verified, the email may be flagged as spam or rejected.
This process helps to protect against spam, phishing, and other types of email fraud by allowing the recipient to verify the authenticity and integrity of the email.
Why use DKIM for Email?
There are several reasons why you might want to use DomainKeys Identified Mail (DKIM) for email:
- To protect against spam and phishing: DKIM helps to prevent spam and phishing by allowing the recipient to verify the authenticity of the email. If the DKIM signature does not verify, the email may be flagged as spam or rejected.
- To prevent email spoofing: DKIM helps to prevent email spoofing, which is when an attacker sends an email that appears to be from a legitimate domain but is actually fake. With DKIM, the recipient can verify that the email was actually sent by the domain it claims to be sent from.
- To protect against email tampering: DKIM helps to protect against email tampering by allowing the recipient to verify that the email has not been modified during transmission. This is especially important for emails that contain sensitive or confidential information.
- To improve email deliverability: Using DKIM can improve email deliverability by helping to ensure that legitimate emails are not mistaken for spam. This is because many email servers will give priority to emails with a valid DKIM signature when deciding whether to deliver the email to the recipient’s inbox.
Overall, using DKIM can help to improve the security and reliability of email communication, and is a good best practice for anyone who sends email.
How do I know if DKIM is working?
There are several ways to check if DomainKeys Identified Mail (DKIM) is working:
- Check the email headers: You can check the email headers to see if the email has a DKIM signature. To do this, you will need to view the full email headers. The DKIM signature should be included in a header field that begins with “DKIM-Signature”.
- Use a DKIM checker tool: There are many online tools that can check the DKIM signature of an email for you. Some popular options include DKIM Core Validator and MXtoolbox. To use these tools, you will need to provide the email headers or the entire email message.
- Check the email logs: If you are the administrator of the email server, you can check the email logs to see if the DKIM signature is being added to outgoing emails.
- Send a test email: You can send a test email to yourself or to another email address and then check the email headers or use a DKIM checker tool to verify the DKIM signature.
If the DKIM signature is present and verifies, it means that DKIM is working properly. If the signature is not present or does not verify, it could indicate that there is a problem with the DKIM configuration.
What happens when DKIM fails?
If a DomainKeys Identified Mail (DKIM) signature fails to verify, it means that the email was either not sent by the domain it claims to be sent from, or that it has been modified during transmission. In this case, the recipient’s email server may take one of several actions:
- Flag the email as spam: The email may be marked as spam and delivered to the recipient’s spam folder, or it may be rejected altogether.
- Quarantine the email: The email may be quarantined, which means that it will be held in a separate area and not delivered to the recipient’s inbox. The recipient may be notified that the email has been quarantined and given the option to release it.
- Deliver the email: In some cases, the email may still be delivered to the recipient’s inbox even if the DKIM signature does not verify. This may happen if the email server is not configured to check for DKIM signatures or if the email is from a domain that is not signed with DKIM.
Overall, a failed DKIM signature can indicate that the email is not legitimate and may be a spam or phishing attempt. It is generally a good idea to treat emails with a failed DKIM signature with caution.
Why DKIM-Only Isn’t Safe Enough
While DomainKeys Identified Mail (DKIM) is an important email authentication method, it is not foolproof and should not be relied upon as the sole means of protecting against spam, phishing, and other types of email fraud. Here are a few reasons why DKIM-only may not be safe enough:
- DKIM can be compromised: It is possible for an attacker to compromise a domain’s DKIM keys and use them to send fraudulent emails that appear to be legitimate. This can happen if the domain’s private key is stolen or if the attacker is able to impersonate the domain’s email server.
- Not all email servers check for DKIM: Some email servers may not be configured to check for DKIM signatures, which means that emails with a fake DKIM signature could still be delivered.
- Not all domains use DKIM: Not all domains use DKIM to sign their emails, which means that emails from these domains will not have a DKIM signature. This means that relying on DKIM-only could result in legitimate emails being flagged as spam.
For these reasons, it is important to use multiple email authentication methods in order to provide the best protection against spam, phishing, and other types of email fraud. Some other email authentication methods that can be used in conjunction with DKIM include SPF, DMARC, and BIMI.