DKIM. DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.

While DKIM isn’t required, having emails that are signed with DKIM appear more legitimate to your recipients and are less likely to go to Junk or Spam folders. Spoofing email from trusted domains is a popular technique for malicious spam and phishing campaigns, and DKIM makes it harder to spoof email from domains that use it.

DKIM is compatible with existing email infrastructure and works with SPF and DMARC to create multiple layers of security for domains sending emails. Mail servers that don’t support DKIM signatures are still able to receive signed messages without any problems. It’s an optional security protocol, and DKIM is not a universally adopted standard.

Step 1: Identify all of your sending domains

Make a list of all of your sending domains, and be sure to consider whether any of the following are used to send email:

  • Web server
  • In-office mail server (such as Microsoft Exchange)
  • Your ISP’s mail server
  • Mail server of your end-users’ mailbox provider
  • Any other mail server used to send email on behalf of your brand

Step 2: Install and configure DKIM on your email server

Because all outgoing email is required to be signed with DKIM, you will need to install a DKIM package specifically for your email server. To find out whether or not your platform has available DKIM software, you can check DKIM.org or check with your vendor. If you’re using an email service provider, you will need to work with them on setting up your DKIM record.

Step 3: Create a public and private key pair

Use an online wizard or your mail server’s own key generator to create the DKIM public/private key pairing and the policy record. The public key will be placed in your public-facing DNS record. The private key is installed on the MTA/Email sending system(s). You can also generate your own using openssl:

  • Enter the From: domain that you are authenticating
  • Enter the selector name
    • Make this name descriptive of the type of email you are sending, like marketing, or newsletter
  • Also, ensure your key is 1024-bit or higher
    • Most providers don’t have an option for anything lower, but if you are using your own tools, 1024 is required

Step 4: Publish your public key

The DKIM wizard should now have given you a selector record. This record includes the DKIM subdomain that will store the public key which is a combination of the domain and selector name.

For example, domain.com with a selector of marketing will have the public key stored in marketing._domainkey.domain.com. You will store your public key in the TXT portion of that domain. Most people will need to work with their system administrator to publish this. If you’re using a hosted solution, you can set this up within their interface.

Step 5: Store your private key

Your private key will also be generated by the wizard and will need to be stored where your DKIM package specifies. It is absolutely critical that this private key is never shared or exposed. If it is, your security will be compromised.

Step 6: Configure your email server

You will need to configure your system appropriately. Consult your server’s installation instructions or contact your vendor.

Step 7: Test, test and test again!

If you’ve successfully configured everything on your system, the next step is testing.

You should consider rotating your keys for maximum protection in case a key or set of keys becomes compromised. We recommend 6 monthly key rotations.

To ensure you’re continuing to authentication properly, contact RedShaw Consulting and we’ll help you manage your DKIM signatures

Now setup DMARC

  1. Setup SPF
  2. Setup DKIM
  3. Setup DMARC