DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures your mail remains secure in transit. DKIM uses digital signatures to check that a specific domain sent an email.
DKIM validates your communications in two ways. The first operation occurs on a server that sends DKIM-signed emails, and the second occurs on the receiving server that verifies DKIM signatures on incoming messages. A private-public key pair allows the entire procedure to take place. Your private key is kept private and secure, either on your own server or with your ESP, while the public key is added to your domain's DNS records and published to the world to aid in message verification. This is accomplished by using a digital signature in the email.
Emails signed with DKIM can be considered legitimate, and the recipients can rest assured that the email is not a spam or phishing attack. DKIM works together with DMARC and SPF to ensure email security at multiple layers for the domains.
The Working of DKIM
DKIM adds a digital signature to an email message's header. This signature may be verified using a public cryptographic key stored in the organization's DNS records. In the DKIM procedure, a public key is created as a TXT record for the domain's DNS Manager (registrar of the domain or DNS Provider).
Every email sent has its own signature, which is produced with the domain's private key. The receiving email server uses this private-public key pair to validate the email source. An incoming mail server scans the DNS record to find the sender's public DKIM key when it receives an email. The incoming server uses this key to decode the signature and compare it to the recently calculated version. The email's legitimacy and authenticity are established if the two values match.
Benefits of DKIM
Now that we know how DKIM works, let’s look at how DKIM protects your brand from phishing and spooning attempts.
DKIM can help identify emails that aren’t spam and don't need to be filtered. Let’s suppose a receiving system maintains a whitelist of known good sending domains, which can be kept locally or obtained from third-party certifiers. In that case, it can skip the filtering of signed emails from those domains and filter the remaining ones more aggressively. By doing this, DKIM lets emails from trusted domains reach the recipient's inbox without checking for DKIM signatures.
DKIM can be used to protect against phishing attacks. Mail servers in phished domains can sign their email messages to prove that they are authentic. Recipient servers can then interpret the absence of a valid signature on emails from those domains as a clue that the email is most likely forged and thus needs to be reported promptly.
Another unique feature of DKIM is that it precludes senders from denying that they sent an email. This feature has been important for news organizations in the past as they have been able to employ DKIM body signatures to confirm that leaked emails were authentic and untampered with.
DKIM undoubtedly proves to be a formidable defense against malicious spoofing and phishing attacks given the long list of benefits it provides to the user. Implementing DKIM at your organization means better security and a foolproof defense system. If you have your DKIM record set up, you can check the validity using EmailAuth’s free DKIM record checker tool.