What is a DKIM Record?
DomainKeys Identified Mail (DKIM) Meaning
DomainKeys Identified Mail (DKIM) is an open technical standard for email security that enables organizations to claim responsibility for sent messages. It allows them to associate their domain with outgoing messages to validate emails.
DKIM authenticates sent emails within the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. In this way, messages cannot be tampered with between sender and recipient servers. Additionally, DKIM prevents users from receiving spam, spoofed, and phished email messages.
DKIM uses public key cryptography to assign a private key to an outgoing email. The recipient’s server then verifies the source and confirms that the message's contents have not been amended during transit. Once verification is granted, DKIM confirms the message is authentic and allows it to reach the recipient’s inbox.
What Is a DKIM Record and How DKIM Works?
The two most critical elements of DKIM are the DKIM record, which stores the public key that verifies the authenticity of an email, and the DKIM header, which is attached to every email from a domain.
DKIM works by assigning a digital signature to the headers of email messages. This signature is then validated against the public cryptographic key in an organization’s Domain Name System (DNS) records.
Domain owners publish a cryptographic public key as a TXT record in their domain’s DNS record. When an email is sent from their outgoing mail server, the server attaches a unique DKIM signature header, including two cryptographic hashes for the header and the body message. When the inbound mail server receives the message, it searches for the sender’s public DKIM key in its DNS. This key decrypts the signature then compares it with a newly computed version. If they match, the message can be authenticated.
Why Is the DKIM Record Essential?
The DKIM record ensures organizations’ sent emails reach their recipients’ inboxes, rather than ending up in junk or spam folders.
Cyber criminals spoof emails from trusted domains to generate malicious phishing and spam campaigns. DKIM makes it harder for hackers to spoof organizations' email domains.
DKIM is part of a multilayer email security strategy, alongside DMARC and Sender Policy Framework (SPF). Although it is not a required or universally adopted security standard, organizations would do well to add a DKIM record to their DNS to ensure each email from their domain is authenticated. That is because major service providers such as AOL, Gmail, Hotmail, and Yahoo use DKIM to check incoming messages and gauge the reputation of a domain. The more emails organizations send through their DKIM record, the better for their domain reputation, and the more likely they are to achieve good email deliverability.
It is also important to understand what DKIM does not do. For example, it does not provide email encryption on outgoing messages, which means sensitive data could be visible to unauthorized users.
Role of DKIM Record in Email Security
DKIM enables organizations to claim responsibility for messages sent from their domains and allows recipients to validate the messages. It uses public key cryptography to sign outgoing emails with a private key, which helps detect email forgery and prevents malicious activity.
For example, DKIM works with SPF and DMARC to prevent email spoofing, which occurs when cyber criminals send emails that look like they come from a reputable sender. In a spoofing attack, hackers impersonate a trusted individual and then send emails to customers and employees to trick them into sharing sensitive information. The technique is also used in broader cyberattacks like business email compromise (BEC), phishing, and spear phishing.
DKIM records are increasingly crucial in ensuring email security because many servers now expect messages to have DKIM and/or SPF signatures. Otherwise, they are considered suspicious and are blocked or sent to spam folders. Having a valid DKIM record allows organizations to guarantee deliverability.
Best Practices When Setting Up a DKIM Record
When setting up a DKIM record, consider several email security best practices, including:
- Deploy long keys: A crucial factor for creating effective DKIM records is complexity. Key lengths should, at a minimum, be 1024-bit. Where possible, use a 4048-bit key. Shorter key lengths like 512-bit are more vulnerable and have been proven to be crackable within 72 hours.
- Regularly rotate keys: Organizations should rotate keys at least two times per year to reduce the chances of malicious actors using them to compromise email integrity.
- Monitor recipient activity: When email messages are signed with DKIM, businesses can monitor how and when receiving servers accept them.
- Track third-party activity: Anyone who sends emails via third-party vendors, such as their service provider, should comply with your organization's policies and best practices.
- DKIM signage checks: Check that outgoing emails are sent from the appropriate domain and are DKIM-signed. Also, ensure all public keys have a corresponding private key for signing emails.
How Fortinet Can Help?
Email is a critical tool in everyday business activity, but it is also an increasingly popular attack vector among cyber criminals. Through Fortinet's industry-leading email solutions, organizations can protect their networks from email-borne threats like malware, phishing, ransomware, and spam.
FortiMail scans the contents of email messages to detect data leak attempts. It encrypts messages, so eavesdroppers are unable to read them. FortiMail checks for DKIM signatures in incoming email messages and signs sent emails with customers’ keys for protected domains. It also enables standards and protocols like DMARC and SPF.
FortiMail delivers best-in-class performance and multilayered protection against email threats based on threat intelligence from FortiGuard Labs. This ensures organizations are protected against sophisticated email-based attacks like BEC, impersonation, and zero-day threats. FortiMail also integrates seamlessly with the Fortinet Security Fabric, which enhances email security and monitors for indicators of compromise (IOCs) across an organization’s infrastructure.
How do I create a DKIM record?
Creating a DKIM record works in the same way for all email servers. A private key is stored somewhere secure, while a public key is kept safe in the organization’s DNS records. The first critical step is to compile a list of the services that are authorized to send emails on behalf of a domain, such as marketing campaign platforms.
How do I add a DKIM record in DNS?
DKIM records can be added to the DNS as a TXT record. The private key then needs to be saved to the Simple Mail Transfer Protocol (SMTP) or Mail Transfer Agent (MTA).