What is DKIM: definition and settings
An email has become one of the most popular communication channels for both private and business purposes. In 2020, the number of emails sent and received each day amounted to 306.4 billion, and an increase of up to 376.4 billion daily mails is expected by 2025.
With the widespread use of email, it’s no wonder so many hackers create phishing emails, intending to steal people’s sensitive information like passwords or credit card details. The statistics are actually alarming: roughly ¼ of total data breaches are caused by phishing, with 86% driven by money motivation.
To prevent it, mailing servers have to continuously improve data-protection methods, and DKIM is one of them.
Let’s start off by clearing up some terms!
What is DNS?
When dealing with the DKIM definition and instructions, you will notice DNS being mentioned a lot.
DNS (Domain Name System) is a database of domain names (“yourdomain.com”) and their corresponding IP addresses (444.555.666.777). Usually, your company’s system administrators or, in some cases, developers have access to it and can help you with all the necessary settings.
Some of the most trustworthy DNS providers include Namecheap, Cloudflare, Bluehost, and others.
What is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication technique that helps identify fake email addresses, fight against spam, and prevent spoofing (which is a fraudulent activity when spammers send a manipulated email from a forged sender address to make the receiver think it originated from someone else).
DKIM uses public-key cryptography to add a digital signature to the header of your email message. Email servers then check it to ensure that the content was not altered by a third party.
How are DNS and DKIM related?
As a domain owner, you add a DKIM record, which contains a public key, to your DNS. When an incoming mail server receives your email, it detects the signature added to the email header and looks up your public DKIM key in the database. If all the values match, your email will land in the recipient’s inbox.
What is a DKIM selector?
In the encoded email header, specific pieces of information are represented by tags. Each tag contains one or several letters and an equal sign (=), for example:
- “v=” — version
- “d=” — mailing domain / DNS
- “b=” — signature data
- “s=” — selector, and others.
To extract the public key value from the header’s signature and complete the verification, the recipient’s mail server checks “d=” and “s=” tag values that form a DNS query.
Mailing services must have unique selectors. If you use both Snov.io and Mailchimp for sending on behalf of “yourdomain.com,” these shouldn’t use identical selectors. Otherwise, a decoding flow will be disrupted.
How does the verification process go: Summary
DKIM authentication method has the following verification steps:
- The mailing server adds a private key to the header of your email.
- The incoming mail server scrapes the public key from the DNS record and uses it to decode the email’s signature.
- If all the values match, the recipient’s mail server will know that the message sent from firstname.lastname@example.org hasn’t changed.
- If the authentication fails, the email content will be considered manipulated, affecting your deliverability.
How to set up DKIM?
There are several ways you can set up DKIM for your domain. Below you can find general settings for all domain providers (using Google as an example).
These steps are for the administrators who manage Google Accounts for your company:
1. Sign in to your Google Admin console, click on the top left menu, and head to Apps > G Suite > Settings for Gmail > Authenticate Email.
2. Pick your domain from the drop-down list, click “Generate New Record,” and copy the hostname and the TXT record value.
3. Log in to your DNS (e.g., Namecheap, Cloudflare, Bluehost, etc.), go to the domain list, choose your domain, and pick “Add New Record” in the advanced settings.
4. Select TXT record and enter the hostname you’ve just copied from Google in “Name” and TXT record value in “Value.”
5. Save your changes, go back to Google, and click “Start Authentication.”
6. Wait for the DNS to update 🙂
Before launching any email campaigns, take time to check if your technical setup is okay. Use lookup tools for running tests, such as MxToolbox or Dmarcian. It may take up to 48 hours for any changes to DNS to take effect, so consider this pending time before running tests.
If the signature’s validation wasn’t successful, it would probably be due to some of these mistakes:
- multiple DKIM records, instead of a single one, in your DNS
- duplicated “.domain” heading
- a key wasn’t configured correctly
- a key is missing.
DKIM has been around since 2005 and is still actively used. Such popularity can be explained by the fact it’s free, reliable, and comparatively straightforward. Nothing stands still, however, and scam schemes become more and more creative.
A 2020 FBI report has indicated that phishing (taking hold of personal information by convincing the user to provide it) was the most common cybercrime. Roughly 96% of phishing attacks are conducted via email. So if you do care about credentials safety, enhance your domain security as much as possible.
In fact, DKIM is just one of the email authentication methods to prove to ISPs that you are authorized to send emails from your domain. Other methods you should pay attention to include:
- SPF (Sender Policy Framework) is a DNS record showing if a particular mailing server is allowed to send emails from a specific domain.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how the recipient’s mail server should process incoming emails if they don’t pass the authentication check (either SPF, DKIM, or both).
- BIMI (Brand Indicators for Message Identification) complements DMARC and allows displaying the company’s logo in emails sent on their behalf. And it’s not only about the visual part — BIMI lets you verify that the message came from a trusted source.
Spend a few hours on setting up these verification technologies or hire a professional to deal with them. With a little time and money spent on preventing measures, you’ll save a lot on corporate or personal data safety.