DKIM: DomainKeys Identified Mail for more email security

Liam Ormond
Liam Ormond
-
Published on
29.11.2022
DKIM: DomainKeys Identified Mail for more email security

To protect e-mail communication from misuse, several technologies are needed to complement the Simple Mail Transfer Protocol (SMTP). One is the DomainKeys Identified Mail (DKIM) process.

In the constant arms race between attackers and defenses, SPF does not fully protect against the threat of spam and phishing emails. Further measures are needed. An additional link in a stable chain of defense is the DKIM identification protocol. Cisco and Yahoo, among others, launched the initiative for this in the early 2000s. In 2011, DKIM was made a standard by the Internet Engineering Task Force (IETF).

DKIM DNS entry and DKIM check

DKIM helps to verify the sender domain of an e-mail and relies on signatures based on cryptography using public and private keys. As with SPF, the Domain Name System (DNS) is the basis. You publish the public key for your domain as a DKIM DNS record of type "TXT". When you then send an e-mail, the server calculates two hash values, one for the message header and another for the message body. The server signs these hash values with the private key and adds them to the message headers as a DKIM signature. Furthermore, the DKIM information includes the sender domain itself and the "selector". The selector is the DNS record where a receiving mail server finds the public key. Using this information, the target server can query the DKIM configuration and perform a DKIM check.

What happens after the DKIM check is at the discretion of the administrators of the target server. Many servers immediately reject emails if the check fails. Alternatively, a failure simply results in the message being marked as potential spam.

Configuration of DKIM in Gmail

For DKIM to be effective, the sender's and recipient's servers must support the procedure. Most major providers have now implemented the standard, including Gmail. DKIM can be activated for your e-mail domains with three simple steps. The corresponding DKIM tool for generating the public and private keys can be found in the Google Admin Console under "Apps / Google Workspace / Gmail" and there in the "Authenticate emails" section.

DKIM authentication
The Google Admin Console configures DKIM for the selected domain.

Click on "Create new record" to generate the key pair! The Google Admin Console then provides the selector, i.e. the name of the TXT record, as well as the value that represents the public key for securing the selected domain via DKIM.

In the next step, add the TXT record with the displayed value in the DNS of the domain. Now you have to wait, because Google points out that it can take up to 48 hours until the information has spread worldwide in the DNS. Then, in the third and last step, click on "Start authentication" in the Google Admin Console. DKIM is now active for your domain.

Gmail DKIM Test

All this happens in the background without any action on the part of the end user. As an identification protocol, DKIM does not directly serve spam filtering, but it indirectly helps to assess the trustworthiness of the sender domain and thus the reputation of the message.

Gmail users can check whether an email has passed the DKIM check in the same way as the SPF status. Simply click on the "Show original" option in the properties of an email in the Gmail web frontend! The following detail view shows whether the SPF and DKIM checks were successful.

You would like to increase the security of your e-mail communication? We would be happy to support you.

Contact us!
Download now
DKIM: DomainKeys Identified Mail for more email security

To protect e-mail communication from misuse, several technologies are needed to complement the Simple Mail Transfer Protocol (SMTP). One is the DomainKeys Identified Mail (DKIM) process.

In the constant arms race between attackers and defenses, SPF does not fully protect against the threat of spam and phishing emails. Further measures are needed. An additional link in a stable chain of defense is the DKIM identification protocol. Cisco and Yahoo, among others, launched the initiative for this in the early 2000s. In 2011, DKIM was made a standard by the Internet Engineering Task Force (IETF).

DKIM DNS entry and DKIM check

DKIM helps to verify the sender domain of an e-mail and relies on signatures based on cryptography using public and private keys. As with SPF, the Domain Name System (DNS) is the basis. You publish the public key for your domain as a DKIM DNS record of type "TXT". When you then send an e-mail, the server calculates two hash values, one for the message header and another for the message body. The server signs these hash values with the private key and adds them to the message headers as a DKIM signature. Furthermore, the DKIM information includes the sender domain itself and the "selector". The selector is the DNS record where a receiving mail server finds the public key. Using this information, the target server can query the DKIM configuration and perform a DKIM check.

What happens after the DKIM check is at the discretion of the administrators of the target server. Many servers immediately reject emails if the check fails. Alternatively, a failure simply results in the message being marked as potential spam.

Configuration of DKIM in Gmail

For DKIM to be effective, the sender's and recipient's servers must support the procedure. Most major providers have now implemented the standard, including Gmail. DKIM can be activated for your e-mail domains with three simple steps. The corresponding DKIM tool for generating the public and private keys can be found in the Google Admin Console under "Apps / Google Workspace / Gmail" and there in the "Authenticate emails" section.

DKIM authentication
The Google Admin Console configures DKIM for the selected domain.

Click on "Create new record" to generate the key pair! The Google Admin Console then provides the selector, i.e. the name of the TXT record, as well as the value that represents the public key for securing the selected domain via DKIM.

In the next step, add the TXT record with the displayed value in the DNS of the domain. Now you have to wait, because Google points out that it can take up to 48 hours until the information has spread worldwide in the DNS. Then, in the third and last step, click on "Start authentication" in the Google Admin Console. DKIM is now active for your domain.

Gmail DKIM Test

All this happens in the background without any action on the part of the end user. As an identification protocol, DKIM does not directly serve spam filtering, but it indirectly helps to assess the trustworthiness of the sender domain and thus the reputation of the message.

Gmail users can check whether an email has passed the DKIM check in the same way as the SPF status. Simply click on the "Show original" option in the properties of an email in the Gmail web frontend! The following detail view shows whether the SPF and DKIM checks were successful.

You would like to increase the security of your e-mail communication? We would be happy to support you.

Contact us!
Download now

Icon arrow