DKIM keys setup guide

...or all you need to know about DKIM records

Email remains a cornerstone of modern communication. With the rise in email spoofing, phishing, and cyberattacks, ensuring the authenticity of emails has become essential. DomainKeys Identified Mail (DKIM) is one of the key technologies designed to verify that emails are genuinely from the sender they claim to be and have not been altered in transit.

This article explores DKIM, how it works, why it’s essential for securing email communication, and best practices for implementing it securely.

What is DKIM and how does it work?

DKIM (DomainKeys Identified Mail) is a widely adopted email authentication method. It adds a digital signature to outgoing emails, allowing the recipient’s server to verify that the message was sent by the claimed domain and remains unaltered. This signature is created using cryptographic techniques, adding a layer of security that helps prevent email spoofing and protects the integrity of the message content.

A brief history of DKIM

DKIM originated from two projects: Yahoo's DomainKeys and Cisco's Identified Internet Mail. These efforts merged in 2004 to form DKIM, which was standardized by the Internet Engineering Task Force (IETF) in 2007. Since then, DKIM has become a standard email security practice, implemented by most major email service providers to mitigate the risk of spoofing and other email-borne threats.

How DKIM works: step-by-step

Here’s a breakdown of the DKIM process:

1. Digital signature creation. When an email is sent, the sending server uses the domain’s unique private key to create a digital signature. This signature is added to the email headers.

2. DNS public key. The domain's public key is stored in the DNS as a DKIM TXT record. This key is used by receiving servers to verify the signature. The DKIM record also includes a selector to specify which public key to use for validation.

3. Verification on receipt. The receiving email server queries the DNS for the sender’s DKIM public key. It uses this key to validate the email's digital signature and confirms that the email originated from the claimed domain and has not been modified.

4. Decision to trust. If the verification succeeds, the email is considered trustworthy and is delivered to the recipient’s inbox. If it fails, the email may be flagged as suspicious, depending on the recipient server’s policy.

Importance of DKIM key length and security best practices

DKIM’s effectiveness in preventing email spoofing relies on the strength of its cryptographic keys. Originally, DKIM keys with 512- and 1024-bit length were common, but in recent years, security experts have found this key length to be increasingly vulnerable to attacks, as it's private key can be recalculated.

The recommendation is to use 2048-bit DKIM keys, which provide a higher level of security and make it significantly harder for attackers to crack the key through brute force. Major email service providers and platforms recommend using 2048-bit keys for stronger security.

To implement this best practice:

1. Generate a 2048-bit key pair. When setting up DKIM, ensure that you generate a 2048-bit key pair instead of the default 1024-bit option.

2. Verify key length compatibility. Some older DNS providers may have issues with larger keys. Ensure your DNS provider supports 2048-bit DKIM keys.

3. Regularly rotate DKIM keys to maintain high security, rotate your DKIM keys periodically (e.g., every 6-12 months) and update your DNS records accordingly.

Understanding DKIM Records

A DKIM record is a DNS TXT record containing the public key used by receiving servers to authenticate your emails. Here are the key components of a DKIM record:

• Selector

  The "name" of the DKIM key used to locate the record in the DNS.

• v=DKIM1

  Specifies the DKIM version.

• p=public_key

  The actual public key, used to verify the email’s DKIM signature.

Having a DKIM record allows receiving servers to verify that messages sent from your domain are genuine and have not been tampered with.

Setting up a DKIM record for your domain

Setting up DKIM requires configuration of your DNS and email server. Here’s how to create and implement a DKIM record:

1. Generate a 2048-bit key pair. Create a DKIM key pair (public and private key) with 2048-bit length. Many email service providers, such as Google Workspace and Microsoft 365, offer tools to generate these keys.

2. Add the public key to DNS. Add the public key to your domain’s DNS as a TXT record. The record name should include the selector chosen when generating the keys.

3. Configure the private key. Set up your email server to use the private key to sign outgoing emails.

4. Test the setup. Use a DKIM checker tool to ensure that the DKIM signature is working correctly and that emails are successfully passing DKIM verification.

DKIM, SPF, and DMARC: A holistic approach to email security

While DKIM is essential, it works best alongside other email security protocols like SPF and DMARC:

• Sender Policy Framework (SPF) Specifies which IP addresses are authorized to send emails for your domain, helping prevent spoofing.

• Domain-based Message Authentication, Reporting & Conformance (DMARC) Establishes policies for handling emails that fail SPF or DKIM checks, adding reporting and enforcement capabilities.

Together, DKIM, SPF, and DMARC provide a comprehensive framework for email authentication, significantly reducing the risk of spoofing and phishing.

Why DKIM is important

DKIM is crucial for protecting both email senders and recipients. Here’s why it matters:

Prevents Email Spoofing by verifying that an email genuinely originates from the sender’s domain, DKIM helps prevent email spoofing, where attackers attempt to impersonate legitimate senders.

Enhances Deliverability - messages with a valid DKIM signature are more likely to reach the inbox instead of being flagged as spam. Email providers like Gmail and Yahoo incorporate DKIM into their spam filters.

Increases Domain Reputation - consistently sending DKIM-signed emails boosts domain reputation, positively impacting deliverability rates.

DKIM FAQs

Can a domain have multiple DKIM records?

Yes, a domain can have multiple DKIM records using different selectors, which is useful for managing multiple email service providers or during system migrations.

How is DKIM different from SPF?

SPF verifies the IP address of the sending server, while DKIM verifies the content integrity and authenticity of the email itself.

Does DKIM encrypt the email message?

No, DKIM does not encrypt the email message. It only adds a signature to verify the sender's identity and message integrity.

What happens if the DKIM signature fails?

If the DKIM signature fails verification, the email may be flagged as suspicious or routed to the spam folder, depending on the recipient’s email security policies.