DomainKeys Identified Mail (DKIM) has long been an internet standard, yet many administrators are still unfamiliar with what it is and how their organization can benefit from it. In this post we hope to clear up some of the confusion surrounding DKIM and what options are available as part of your email service with Securence.
At a basic level, DKIM provides a way for your outgoing email to be “digitally signed” by your domain. With this signature in place, a receiver can verify that your domain is truly the original source of the message. Additionally, since the signature is based on the actual message (headers and body), the receiver can also reliably confirm that the message has not been altered while in transit.
First, the signing mail server generates a unique “hash value” for your message. It does this by feeding the message into a cryptographic hashing algorithm (usually SHA-256). This is a fancy way of reducing any message of any size down to a single, fixed length string of text that uniquely represents the contents of the message. Cryptographic hashing algorithms have the handy benefit of causing very similar text to produce vastly different hash values. For example:
"It was the best of times, it was the worst of times." SHA-256 hash: 38D141B35057BBB691B9756C20A6C31A0AB0BBF2076538A7FB6D9EE8835096D7 "It was the best of times, it was the worst of times," SHA-256 hash: 775FCE11D4FEC218D105CEC874901A5225B78C02EB6E86D8D4832464368C332A
Note that simply changing the period at the end of the sentence to a comma produced a completely different hash value. When the receiving mail server performs the same hashing algorithm on your message and gets the same result, it knows that the message is in the exact state it was in when originally hashed. Conversely, if a different hash value is produced on the receiving end, then some modification to the message has occurred.
The calculated hash value is then encrypted using a private key owned by your domain. The public key counterpart is used to unlock or decrypt the hash for verification and is stored in your domain’s DNS record. In order to sign messages with Securence, you will generate this key pair in the admin portal. Securence stores the private key for signing while you make the public key available in a TXT record for verification.
When a receiving server sees a DKIM signature in the message headers, it attempts to decrypt the hash using the public key that is available via DNS. If the decryption succeeds, the server knows that it could only have been encrypted with the private key held in secret for your domain. It calculates its own hash value for the message. If it matches the decrypted one found in the signature, the receiver knows the message was not modified. The DKIM check is now complete.
First, DKIM is an important part of protecting your domain from abuse. Email service providers can use the information gleaned from DKIM to identify and block fraud attempts.
DKIM signing can also improve delivery rates with email services that track sender reputation. For example, if Gmail is unable to authenticate a message using either SPF, DKIM, or DMARC, it is more likely that message could end up delayed or even marked as spam.
Additionally, DKIM is a necessary step towards implementing DMARC, which itself provides further protection from email scams and spoofing attempts. Though DKIM is not explicitly required for DMARC, implementing a reject policy in DMARC is strongly discouraged without first signing with DKIM. DMARC will be discussed in an upcoming blog post.
Configuring Securence to sign your outbound messages with DKIM is a relatively straightforward process. Click here for a PDF which will walk you through the steps.
DKIM is an important and useful email authentication scheme. Using DKIM, your messages can be signed in such a way that receivers can trust they truly originated from your domain and have not been tampered with. DKIM signing is included with your Securence Outbound service. If you have questions about DKIM or any other part of your Securence email protection suite, reach out to us at firstname.lastname@example.org.