What is a DKIM Record?

DomainKeys Identified Mail (DKIM) is an open technical standard for email security that enables organizations to claim responsibility for sent messages. It allows them to associate their domain with outgoing messages to validate emails.

DKIM authenticates sent emails within the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. In this way, messages cannot be tampered with between sender and recipient servers. Additionally, DKIM prevents users from receiving spam, spoofed, and phished email messages.

DKIM uses public key cryptography to assign a private key to an outgoing email. The recipient’s server then verifies the source and confirms that the message's contents have not been amended during transit. Once verification is granted, DKIM confirms the message is authentic and allows it to reach the recipient’s inbox.

The two most critical elements of DKIM are the DKIM record, which stores the public key that verifies the authenticity of an email, and the DKIM header, which is attached to every email from a domain. 

DKIM works by assigning a digital signature to the headers of email messages. This signature is then validated against the public cryptographic key in an organization’s Domain Name System (DNS) records. 

Domain owners publish a cryptographic public key as a TXT record in their domain’s DNS record. When an email is sent from their outgoing mail server, the server attaches a unique DKIM signature header, including two cryptographic hashes for the header and the body message. When the inbound mail server receives the message, it searches for the sender’s public DKIM key in its DNS. This key decrypts the signature then compares it with a newly computed version. If they match, the message can be authenticated.

The DKIM record ensures organizations’ sent emails reach their recipients’ inboxes, rather than ending up in junk or spam folders. 

Cyber criminals spoof emails from trusted domains to generate malicious phishing and spam campaigns. DKIM makes it harder for hackers to spoof organizations' email domains. 

DKIM is part of a multilayer email security strategy, alongside DMARC and Sender Policy Framework (SPF). Although it is not a required or universally adopted security standard, organizations would do well to add a DKIM record to their DNS to ensure each email from their domain is authenticated. That is because major service providers such as AOL, Gmail, Hotmail, and Yahoo use DKIM to check incoming messages and gauge the reputation of a domain. The more emails organizations send through their DKIM record, the better for their domain reputation, and the more likely they are to achieve good email deliverability.

It is also important to understand what DKIM does not do. For example, it does not provide email encryption on outgoing messages, which means sensitive data could be visible to unauthorized users.

When setting up a DKIM record, consider several email security best practices, including:

1. Deploy long keys: A crucial factor for creating effective DKIM records is complexity. Key lengths should, at a minimum, be 1024-bit. Where possible, use a 4048-bit key. Shorter key lengths like 512-bit are more vulnerable and have been proven to be crackable within 72 hours.
2. Regularly rotate keys: Organizations should rotate keys at least two times per year to reduce the chances of malicious actors using them to compromise email integrity. 
3. Monitor recipient activity: When email messages are signed with DKIM, businesses can monitor how and when receiving servers accept them. 
4. Track third-party activity: Anyone who sends emails via third-party vendors, such as their service provider, should comply with your organization's policies and best practices.
5. DKIM signage checks: Check that outgoing emails are sent from the appropriate domain and are DKIM-signed. Also, ensure all public keys have a corresponding private key for signing emails.

Email is a critical tool in everyday business activity, but it is also an increasingly popular attack vector among cyber criminals. Through Fortinet's industry-leading email solutions, organizations can protect their networks from email-borne threats like malware, phishing, ransomware, and spam. 

Email Security Solution - FortiMail scans the contents of email messages to detect data leak attempts. It encrypts messages, so eavesdroppers are unable to read them. FortiMail checks for DKIM signatures in incoming email messages and signs sent emails with customers’ keys for protected domains. It also enables standards and protocols like DMARC and SPF. 

FortiMail delivers best-in-class performance and multilayered protection against email threats based on threat intelligence from FortiGuard Labs. This ensures organizations are protected against sophisticated email-based attacks like BEC, impersonation, and zero-day threats. FortiMail also integrates seamlessly with the Fortinet Security Fabric, which enhances email security and monitors for indicators of compromise (IOCs) across an organization’s infrastructure.

Creating a DKIM record works in the same way for all email servers. A private key is stored somewhere secure, while a public key is kept safe in the organization’s DNS records. The first critical step is to compile a list of the services that are authorized to send emails on behalf of a domain, such as marketing campaign platforms.

DKIM records can be added to the DNS as a TXT record. The private key then needs to be saved to the Simple Mail Transfer Protocol (SMTP) or Mail Transfer Agent (MTA).