DomainKeys Identified Mail (DKIM)

Joran Hofman
April 4, 2021

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email security standard designed to ensure that messages remain unaltered in transit between sending and receiving servers. It enables an organization to take responsibility for a message in transit.

How do DKIM records work?

DKIM works by adding a digital signature to the headers of an email. This signature can then be verified with a public cryptographic key located in the company's DNS record.

The domain owner publishes a cryptographic key. In the domain's general DNS record, this is specifically configured as a TXT record.

After an outgoing mail server sends a message, the server creates and adds the unique DKIM signature to the message header.

Incoming mail servers use the DKIM key to locate and decode the message signature and check it against a new version. If the values ​​are the same, this proves that the message remains original and unaltered in transit and thus cannot be forged or altered.

Advantages and disadvantages of using DKIM

Advantages

  • The primary advantage of this system for email recipients is that it offers the signing domain’s ability to reliably record genuine email traffic. This allows domain-based lists to be more effective. This offers ease in detecting some types of phishing attacks.
  • DKIM is a way of tagging a message, but it cannot filter or detect spam on its own, but if used widely, it can prevent spammers from tampering with the source address of messages. DKIM can help recognize mail known as not spam and that it does not need to be filtered.
  • DKIM is compatible with existing email infrastructure as it is implemented through DNS records. In particular, it is practically invisible to current email systems that do not have DKIM support. DKIM also supports DNSSEC and SPF standards.
  • DKIM has a non-repudiation feature that does not allow spammers to convincingly deny sending an email. This feature has been tested useful for media sources to prove that filtered emails are real and have not been modified.

Disadvantages or weaknesses

  • A malicious person can write an email from a reputable domain and get this message signed with DKIM and send it to any mailbox where it can be retrieved as an archive and get a signed copy of the email. This signed copy can be forwarded to many recipients without any control. The email provider can block the person who sent the message but will not be able to stop the propagation of the already signed message.
  • Problems can also occur when the relay or filtering program makes changes to the message. If the person sending the mail does not take a specific action, the footer addition that many mailing lists and antivirus programs do will damage the DKIM signature.
  • In 2012, mathematician Zach Harris discovered the vulnerability of short DKIM keys. 512-bit keys can be discovered in 72 hours with cloud computing resources.

How to create a DKIM record?

The methodology to implement a DKIM record in an email may vary depending on each email service, but in general, it consists of the following steps: 

  • Create your own selector

When a domain has more than one mail server, it can have more than one public key. Each mail server has its private key, which matches a single public key. A selector is an attribute of a DKIM signature, which helps the recipient's server find the appropriate public key from the sender's DNS.

  • Generate a private-public key

Depending on the operating system, a tool must be used. Windows users can use PuTTY to generate key pairs, while Linux and MacO users can use SSH-Keygen for this purpose.

  • Add the DKIM record to your domain

As a final step, after obtaining the public key, it must be appended to the appropriate place in the DNS records. The steps may be different depending on the hosting provider.

Explore more glossaries