Skip to content

What Are DKIM Records and How Do They Improve Email Security?

Despite diverse digital communication options, email remains the predominant one. However, its widespread use attracts cyber attackers, who eagerly exploit unsuspecting users through phishing and spoofing. Tackling these threats starts with understanding what are DKIM records and learning how to implement them.

Using security methods and domain checks, this guide will explore how DKIM records enhance email safety for senders and recipients. Furthermore, we will review some best practices you can use when implementing DKIM on your own. 🔒

📚 Table of contents:


What are DKIM records? 🤷‍♂️

DomainKeys Identified Mail represents a rigorous email authentication method, ensuring the emails you receive are genuine and haven’t been tampered with during transit. Let’s take a closer look and answer the question: ‘What are DKIM records?’ and explore the history behind them.

The story of DKIM records starts with earlier efforts by Yahoo with DomainKeys and Cisco with Identified Internet Mail, which pioneered email authentication systems to secure emails. Developers combined the strengths of these two systems to develop the DKIM record, providing a more robust and efficient solution. This solution digitally fingerprints every email to confirm its authenticity.

Once the DKIM mechanism verifies an email’s authenticity with its digital fingerprint, it adds the DKIM header to emails. This header includes key elements like the domain, selector, signature data, and the signing algorithm. Each component plays a crucial role in the complete authentication process.

What are DKIM records?

Private and public keys in DKIM

At the heart of DKIM is the mechanism of private and public keys.

  • Private Key: Securely stored on the sending server, this confidential key generates a unique signature based on the email’s content, which becomes the DKIM signature.
  • Note: Organizations should enforce strict access controls and conduct regular security checks to protect the private key. It should be immediately revoked and replaced if compromised to ensure DKIM security.
  • Public Key: This key is openly accessible and is stored within the DNS (Domain Name System) records that serve as the internet’s address book, helping route web traffic. When a domain sends an email, the recipient can verify its DKIM signature using this public key from the DNS records.

DKIM record in the DNS system

After answering the question of what are DKIM records, the next question to ask is how do they fit in the DNS system? The DKIM record, an integral element within the DNS system, is pivotal in email authentication. Within this record lie key components that empower the receiving server to confirm an email’s authenticity. Let’s explore these components in detail:

  • Selector: The selector is a string that identifies the DKIM public key in the DNS record. When an email is received, the selector is used to locate the correct public key for verifying the DKIM signature. This allows for greater flexibility and security in key management.
  • Public Key Storage: The public key, which is used to decrypt the DKIM signature and verify that the email has not been tampered with during transit, is housed in the DKIM record. The receiving servers fetch this public key to validate the DKIM signature of incoming emails.
  • Signing Algorithm: The DKIM record specifies the algorithm used to create the signature. Standard algorithms include RSA, which is known for its security and widespread adoption. The signing algorithm generates the DKIM signature, which is then encrypted with the private key.
  • Policy Flags: These directives influence how the receiving server should handle emails from the domain, especially if DKIM checks fail. They can dictate whether an email is treated as legitimate, suspicious, or spam and specify actions to be taken if the DKIM signature is invalid, such as rejecting the email or marking it as spam.

To truly grasp the intricacies of DKIM, it’s essential to understand how the DKIM signature is structured. Let’s dissect a sample signature to comprehend its components better:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=sample; t=1572282571; bh=XYZabc/pEmf+yUHDd/Y7dYNH9pE+ExampleHash=; h=From:To:Subject:Date; b=SampleSignatureXYZabc+0RyZFiOmNH30kExampleHash=
v=1;Represents the version of DKIM. Currently, “1” is the only defined value.
a=rsa-sha256;Specifies the algorithm used to generate the signature. In this case, RSA with SHA-256 hashing is employed.
c=relaxed/relaxed;Designates the canonicalization algorithm(s) for the header and body, respectively.
d=example.com;Denotes the domain of the signing entity.
s=sample;Refers to the domain’s specific DKIM public key record, employing the “sample” selector.
t=1572282571;Provides a timestamp indicating when the signature was created.
bh=XYZabc/pEmf+yUHDd/Y7dYNH9pE+ExampleHash=;Represents the body hash, ensuring the email body remains unaltered during transit.
h=From:To:Subject:Date;Enumerates headers used in the signature computation, reinforcing their authenticity.
b=SampleSignatureXYZabc+0RyZFiOmNH30kExampleHash=This is the actual digital signature derived from the email’s content.

Step-by-step breakdown of the DKIM process

What are DKIM records’ role in the email authentication process? While complicated, the process can be broken down into simple steps that underline the operational aspects and showcase the depth of the method’s reliability.

1. Signature Creation: Before an email embarks on its journey to an inbox, it’s “stamped” with a unique signature. This signature, derived from the email’s content and certain headers, is encrypted using the sender’s private key.

2. DKIM Record Retrieval: When the email lands on the recipient’s server, a crucial DKIM DNS TXT check awaits it. The receiving server conducts a DNS lookup to fetch the DKIM record associated with the sender’s domain.

3. Decryption & Verification: The server decodes the email’s DKIM signature using the public key. This decrypted signature is matched with a newly generated one based on the received content to confirm the email’s authenticity.

4. Outcome: The result of the DKIM check decides the email’s fate. A successful check indicates a genuine email, allowing it into the inbox. A failed check flags the email, potentially marking it as spam or rejecting it outright.


Importance of DKIM in email deliverability 📧

Beyond providing security benefits, DKIM significantly enhances email deliverability and domain reputation. Email service providers and Internet Service Providers (ISPs) increasingly depend on authentication checks, which involve understanding DKIM records, to verify the legitimacy of incoming emails.

Messages that pass DKIM validations are more likely to reach recipients’ inboxes. Implementing strong DKIM protocols, along with other email authentication methods, can improve a sender’s domain reputation and, consequently, their email delivery rates.

While DKIM serves as a powerful tool for email authentication, its effectiveness peaks when used in combination with other standards such as SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). This multi-layered approach to email security ensures a more robust defense against email-based threats.

  • SPF Verification: SPF helps verify the legitimacy of the sender’s IP address. It specifies which servers are authorized to send emails on behalf of a domain. When SPF aligns with the sending domain in DKIM, it reinforces the email’s authenticity, further reducing the risk of phishing and spoofing.
  • DMARC Policies: DMARC sets policies for how email receivers should handle unauthenticated emails. It can instruct receivers to quarantine or reject suspicious emails, providing additional protection. When DKIM aligns with DMARC policies, it ensures higher security and consistency in email authentication.

By integrating authentication standards such as DKIM, SPF, and DMARC, organizations can create a comprehensive approach to email security. This multi-layered strategy not only enhances trust in email communications but also reduces the risk of fraudulent emails, significantly strengthening the overall security of the email ecosystem. The overall result is a safer and more secure digital communication environment.

Configuring DKIM records

To configure DKIM, you’ll need to access your domain’s DNS settings, typically found in your domain registrar or hosting provider’s control panel. Once you’re in the DNS settings, create a new TXT record for DKIM. The specific steps and requirements for this process can vary depending on your provider, so it’s recommended to consult their documentation or support resources for detailed guidance.

When configuring DKIM, it’s crucial to follow best practices to ensure the security and effectiveness of the authentication process. We’ll talk more about these in the next section.


Best practices and recommendations 🏆

Properly implementing and managing DKIM is crucial for email security. It’s important to actively follow structured guidelines and best practices for DKIM setup and maintenance. By doing so, you can bolster email security, enhance your domain’s reputation, protect against email-based threats, and avoid common pitfalls associated with DKIM alignment. This proactive approach to DKIM management plays a key role in building a stronger, more secure email communication system.

Regular Key Rotations: A fundamental DKIM security practice that mitigates the risk of compromise and adds an essential layer of security. Key rotations should occur every few months.

Proper DKIM Alignment: It’s essential to understand what are DKIM records and how they play a crucial role in email authentication. Ensuring that the DKIM signature aligns with the sender’s domain is crucial for bolstering email authentication. Misalignment can result in authentication failures and other issues that affect email deliverability.

Use of Strong Cryptographic Algorithms: These algorithms, such as RSA (Rivest-Shamir-Adleman), are well-known for their robust security features. Proper use of them plays a critical role in protecting the integrity of DKIM signatures and preventing vulnerabilities or potential attacks.

Correct DNS Configuration: Essential for DKIM records and includes properly publishing components such as the public key and selector. Accurate DNS configuration is vital for successful DKIM validation and email authentication.

Training and Awareness: Such efforts should target relevant individuals within an organization, especially those involved in email infrastructure and security. Continuous learning, including staying updated on emerging threats and best practices, is essential to ensure the further effectiveness of DKIM as a security tool.


Conclusion 🧐

In summary, DKIM actively protects emails, ensuring their genuineness and reliability. It acts as a stamp of authenticity, guaranteeing each email’s safe arrival at its intended destination. In combating email-based cyber attacks, understanding DKIM records becomes a crucial step in securing digital communications. This knowledge empowers users and organizations to fortify their defenses against increasingly sophisticated cyber threats.

For a deeper understanding of the underlying technology that makes email communication possible, we recommend reading our article explaining what DNS is and how it works.