What is DKIM and why is it important for your business?

DomainKeys Identified Mail or DKIM is an anti-tamper protocol that ensures the security of your emails. DKIM protocol uses digital signatures to confirm whether the email was sent by an authentic sender.

The first DKIM action occurs on the server that sends a DKIM signed email, while the second takes place on the recipient server that checks DKIM signatures on incoming emails. The entire process is made possible by a pair of private and public keys. 

The private key is kept secret and safe either on your own server or with your ESP. The public key, on the other hand, is added to the DNS records of your domain to broadcast to the world and help verify your emails. This is done by providing a digital signature for the email. Once the receiver verifies that an email is signed with a valid DKIM signature, it’s clear that the integrity of the email is preserved. 

A DKIM signature indicates which domain was used to sign the email. It consists of an encrypted header that is added to all emails sent from a domain that has DKIM implemented. This header provides details that enable a recipient mail server to validate an email by looking up the sender's public DKIM key and verifying the encrypted signature with it. 

Here is an example of a DKIM signature:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=sparkpost.com; s=google;

h=from:content-transfer-encoding:subject:message-id:date:to:mime-version;

bh=ZkwViLQ8B7I9vFIen3+/FXErUlKv33PmCuZAwpemGco=;

b=kF31DkXsbP5bMGzOwivNE4fmMKX5W2/Yq0YqXD4Og1fPT6ViqB35uLxLGGhHv2lqXBWwFhODPVPauUXaRYEpMsuisdU5TgYmbwSJYYrFLFj5ZWqZ7VGgw6/nI1hoPWbzDaL9qh

The tags used are:

• v, version

• a, signing algorithm

• d, domain

• s, selector

• c, canonicalization algorithm(s) for header and body

• q, default query method

• t, signature timestamp

• x, expire time

• h, header fields – list of those that have been signed

• bh, body hash

• b, the signature of headers and body

Signatures are by definition unique from email to email. However, ‘d=’ for the signing domain, ‘b=’ for the actual digital signature, and ‘bh=’ for the hash that can be verified by recalculating using the sender’s public key, are basic elements that will be present in every DKIM signature header.

A sender must decide which components of the email will be included in the DKIM signature before creating one. This usually consists of the email body as well as certain default headers. If certain elements in the DKIM signature are modified after the signature is created, the DKIM validation will fail. 

The DKIM signature is detected by email receivers such as Gmail and Microsoft. The email receiver will do a DNS query to look for the public key of that domain in order to validate the DKIM signature. To identify where to look for this key, the variables specified in the DKIM signature are used. 

If the key is discovered, it can be used to decrypt the DKIM signature and restore the hash values to their original state. The new values collected from the received email are then compared to these values. The DKIM is considered valid if the values match. 

Usually, DKIM signatures are not visible to end-users and are affixed or verified by the infrastructure rather than the message's authors and recipients. 

For businesses, proper and protected channels of communication are mandatory and inevitable. Emails are an integral part and probably the biggest channel of communication for all types of businesses. However, with easy accessibility, comes bigger risks. Emails are susceptible to cyberattacks that can lead to companies losing millions of dollars in finances and customer data.

Therefore, it’s necessary for businesses and companies to take email security seriously and implement email authentication protocols such as DKIM to save millions of dollars every year. 

The key benefit is that DKIM allows the signing domain to accurately identify a stream of legitimate emails, making domain-based blacklists and whitelists more effective. It also makes it easier to identify certain types of phishing attacks as it offers the following benefits:

• Spam filtering

DKIM can help identify mail that isn't known to be spam and does not need to be filtered. If a receiving system maintains a whitelist of authentic sending domains that can be kept locally or obtained from third-party certifiers, it can skip the filtering of signed emails from those domains and filter the remaining emails more aggressively. 

• Compatibility

DKIM is compatible with the existing email infrastructure because it is implemented using DNS records and an extra RFC 5322 header field. It is especially apparent to existing email systems that do not support DKIM. 

• Anti-phishing

DKIM can be used to defend against phishing attacks. Mailers in intensively phished domains can sign their emails to prove their authenticity. The absence of a valid signature on an email from these domains can be interpreted by recipients as a clue that the email is most likely forged. 

• Non-repudiation

The non-repudiation feature of DKIM does not let senders deny that they have sent an email. This has been essential to news organizations as they have been able to use DKIM body signatures to confirm that leaked emails were authentic and untampered with.