DKIM allows the recipient server to make sure (or to verify) that the received message was sent by the genuine sender of the associated domain and that content of the original message was not altered on its way. So let’s figure out how to explain DKIM in plain English?
Imagine the situation when you go to the post office, send some mail to someone and no one at the post office asks for your passport or any identification document. In this case, cybercriminals can write any name on From field and the victim address on To field. In the electronic world, the mail sending process is as simple as in this example. Mail sending protocol Simple Mail Transfer Protocol (SMTP) is very weak and anyone can send an email on your behalf.
Now imagine the situation when the post office officer asks for identification documents and only after that allows you to put your name in the From field. And after identification puts the signature or some stamp which can do only post office. Thus, in the electronic world, we use the DKIM protocol to verify the sender and to sign the email. This will help you to effectively mitigate phishing attacks from your domain.
What is DKIM?
DomainKeys Identified Mail (DKIM) is a protocol that allows domain/organization owners to send authenticated/ signed emails so the receiver can identify the right origin. This verification is made possible through cryptographic authentication.
Public Cryptography is a process of encryption that involves two keys (or a key pair), as opposed to one. One of the keys is Private and is kept secret, while the other is Public and can be published. The keys have a special relationship with each other. If a piece of data is encrypted with one key, it can only be decrypted with the other, and vice versa. If you use a Private Key to encrypt data, you cannot use the same key to decrypt it! You must use Public Key.
However, the process is quite straightforward:
- A Key Pair gets created (Private- which always stays on the owner’s side, and only the owner has access, can use this key, and a Public key, which will be available for everyone). You can use EasyDMARC DKIM record generator which also generates Public-Private key pairs for you.
- The Private Key is used for signing emails on the owner side (it can be the email server, or services like GSuite, etc.)
- The Public Key is published on the DNS Zone (GoDaddy, Cloudflare, etc.) of the sending domain and available for everyone.
This is enough to get started.
DKIM signing
After turning on DKIM signing for your service (like in Google Workspace, Office 365, or you can use OpenDKIM for your Postfix server) the sender automatically will perform the following steps:
- Calculates the hash of the mail body;
- Encrypts the calculated hash of the mail;
- Attaches to the mail and sends.
This process is called DKIM signing. And the signature you already guess is the encrypted hash of the email by a private key.
Here is an example of a DKIM signature
On the other end, the receiving mail server will lookup the sender’s Public Key from its DNS Zone and will proceed to validate the signature. If the signature is validated, then there is a guarantee that the email came from that sender.
DKIM is a very good mechanism to validate the identity of a sending system. This is yet another piece of technology that makes the Internet just a bit safer!
Nowadays, it is considered good manners to implement both SPF and DKIM, in order to present yourself as a good email citizen. (Click here to use our free DKIM validator app).
How does it work?
DMARC’s alignment feature prevents spoofing of the “Header from” address by matching the “Header from” domain name with the “Envelope from” domain name used during an SPF check. And matching the “Header from” domain name with the “d= domain name” tag in the DKIM signature.
To pass the DMARC check, a message must pass SPF authentication with domain alignment and/or DKIM authentication with domain alignment. A message will fail DMARC check if the message fails DKIM and SPF authentication.
DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication.
Senders can either:
- Monitor all mail, to understand their brand’s email authentication ecosystem. Ensure legitimate mail is authenticating properly without interfering with the delivery of messages that fail DMARC.
- Quarantine messages that fail DMARC (e.g., move to the spam folder).
- Reject messages that fail DMARC (e.g., don’t deliver the mail at all).
Mailbox providers send regular DMARC aggregate and forensic reports back to senders. Thus giving them visibility into what messages are authenticating, what messages are not, and why.
DMARC is the first and only widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy. Not only does this help protect customers and the brand, but it also discourages cybercriminals who are less likely to go after a brand with an enforced DMARC Policy (p=reject).