DKIM: What is it and should you configure it?
Reading time: 7 minutesImproving email security and protecting against phishing campaigns, spam and other types of email-based attacks is the basis of good cybersecurity hygiene. When you consider almost half of the UK's organizations have become victims of phishing attacks*, it's especially important to make a thorough effort.
*Phishing attacks: Half of organisations have fallen victim in last two years (ZDNet)
There are a number of ways in which you can improve your email security and reduce attack surface with different dedicated services, but for now we want to focus on a few old-school techniques for spam reduction. SPF, DMARC, and DKIM are security mechanisms designed to provide you with better email deliverability and security.
We've touched upon the SPF record and DMARC when exploring interesting DNS records and the various types you should know about, so today we're going to answer the question what is DKIM and show you how to set it up in your DNS records for your mail server.
What is DKIM?
Spam and phishing email campaigns are widespread and some of the oldest types of cybercrime around. Sadly, it makes sense: forging an email sender and including malicious links in an email is one of the easiest ways for cybercriminals to trick you into clicking on the links, which allow them to retrieve sensitive information from you.
For the average individual, an email stating that it's from PayPal or Ebay might not obviously show itself as a forged email. That's why it's important to protect yourself from falling victim to email-based attacks. This is where DKIM, an established form of sender authentication, comes into play.
DKIM, or DomainKeys Identified Mail, is an email authentication standard created to allow senders to connect to their domain with an email, through cryptographic authentication which, in turn, proves the legitimacy of said email to the receiver.
It's derived from earlier standards applied to Yahoo! and Cisco (specifically Yahoo!'s DomainKeys and Cisco's Identified Internet Mail specifications), was patented in 2004 and is now called DomainKeys Identified Mail.
That cryptographic authentication means that public and private keys are generated. The private key, which is linked to your domain and only available to you, encrypts the digital DKIM signature created by the MTA (Mail Transfer Agent) and stored in your domain. The DKIM signature is recorded in the message header field as an RFC2822. Here's an example of how the DKIM signature can look:
DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
[email protected];
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
The public key which is added to the DNS TXT record should decrypt the signature. Here's an example of the TXT record for DKIM:
example._domainkey.itverx.com.ve.86400 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfM
A0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqFGebZAOHfSGy9CWtA4Uads0zaXAy8TWtW9uIFbyIkFNC67fQVFVjsxlmcEg1oFNp2CrTYF1YNh2gB144c+XY5GVM2fGEYAKx3iBxajWTzsx3SvpQtAZ2Bvf2mV+Te+JtlbpxVuiuiW2Alqwhk1ytTWspf/S3bM73XssV+/mh9wIDAQAB"
If those two keys match, the receiver's MTA will know that the content of the email hasn't been altered since it was sent and that the email is legitimate. The actual digital signature inserted into the header of an email is not visible to end-users since it's done on the server level.
Setting up DKIM is also a fairly easy task and can be done in a few simple steps:
- Take note of all the domains in your organization used to send emails
- Install the DKIM package that is specific for your mail server
- Create a public and private key pair
- Create a DKIM TXT record to publish the DKIM selector and your public key
- Save your private key accordingly to your DKIM package
- Configure your mail server to make sure that DKIM is up and running
Advantages of DKIM
Although there are obvious benefits of DKIM record, such as email authentication, there are some other advantages:
Bypass spam filters
Even if the DKIM signature is not an anti-spam method and won't completely protect you against it, configuring DKIM will greatly improve your email's chances of not being labeled as spam. If you're sending an email marketing campaign to a great number recipients, using DKIM will improve your chances of passing through sometimes harsh content scanning.
When your emails aren't reaching their end destination, a frequent reason behind the issue is misconfigured DNS records, or more likely, a lack of the important ones such as SPF, DMARC and DKIM. You can resolve this issue easily by performing a regular DNS audit to make sure that if they are configured, they are working properly.
Even with DKIM configured, we warn against sending "spammy" emails to everyone.. While it will authenticate that the email comes from a legitimate source, your content can still be marked as spam.
Avoid phishing
This benefit is directly tied to the anti-spam capabilities of DKIM—by adding this layer of protection to spam filtering, you're putting up another barrier to the victimhood of phishing. As we've said, spam filtering itself isn't enough to completely identify and flag a suspicious email. But utilizing DKIM authentication will help put you more at ease when checking on the sender of email you've received.
To truly prepare for the fight against phishing attacks, your best bet is to have all domains in your organization use DKIM with the addition of SPF record, as we shared earlier. Also, you can be proactive and find phishing domains to avoid becoming the victim of one.
Improve reputability
When you have all domains across your entire organization using DKIM, you're making yourself a reputable sender in the eyes of partners, customers, vendors and any other third party service you might come in contact with.
Signing messages with DKIM will improve your email deliverability, so there's a slim chance your emails will end up in a spam folder, not reaching their designated recipients.
DKIM authentication can also impact click-through rates when you're trying to reach your email subscribers, such as through an email marketing campaign or when sending out a newsletter. When there's an added layer of trust in your signature, it's more likely that recipients will click on links you're sending, with no sense of danger involving phishing or spam attempts.
Disadvantages of DKIM
As we all know, nothing is ever perfect, and nothing can truly vouch for absolute security. The DKIM record, therefore, has its disadvantages.
Several weaknesses have been reported over the years. The most notable one is based on the replay attack, about which ZDNET has written a very informative article.
Basically, since DKIM doesn't sign all parts of the message and only authorizes some parts, the email can be forwarded by malicious actors by adding more header fields to it. The signature will still match it and will have DKIM verification, thus making recipients of the forwarded message susceptible to such an attack.
To be fair, DKIM does claim only to validate that the domain sending the email is the actual sender and that's all there is to it. It doesn't actually claim to stop phishing. Also, the information validated by DKIM is only on the server side, and end users don't really get a lot from the fact the the email is validated under DKIM. There's always a chance that the email contains a malicious link or that the content of the email was altered when it was forwarded.
Another issue come to light involves certain companies whitelisting domains trusted solely on the basis of DKIM signature. This means that the contents of those emails won't go through any type of analysis and will immediately be deemed safe. Revisiting the replay attack, the domain that was actually signed and authorized by DKIM will stay the same and will still be whitelisted, although its contents can be changed. That renders it useful for phishing.
Final thoughts
Weighing both its advantages and disadvantages, configuring DKIM is an easy addition to your email security and we advise you to do it. Phishing is all the rage, and has been for as long as cyber attacks have been around (and that's, well, since the beginning of the Internet). While nothing can provide you with 100% security when you're on the Internet, it's up to all of us to keep it as safe as possible from the danger of cyber threats.
DNS security is important and we're here to make sure you're auditing your DNS zone files easily and staying on track with any name server changes for optimal security. You can dive deeper into DNS records and record types, even historical records with SecurityTrails API.
