How DKIM records reduce email spoofing, phishing and spam

Spammers, phishers and every kind of risk actors prefer to forge email to seduce customers into opening malicious email and letting the barbarians within the gates. Email authentication with the DomainKeys Identified Mail customary can cease — or no less than decelerate — many of those assaults utilizing public key cryptography.

DKIM, when used with the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols, provides email directors a device for guaranteeing all outgoing mail messages are digitally signed — in addition to enabling mail recipients to authenticate inbound email.

Email senders use DMARC to specify what actions to take when receiving an email message that may’t be authenticated and SPF to establish the legitimate IP handle, area or subdomain for servers originating email for a site. DKIM specifies a protocol for digitally signing outbound email messages with the area proprietor’s personal key, so recipients may be assured that the email originated from a licensed server operated by the area proprietor.

The email safety drawback

All web email is transmitted from an originating email server to the vacation spot email server utilizing Simple Mail Transfer Protocol (SMTP). When SMTP was laid out in 1982 in RFC 821, it offered no security measures. The goal of the protocol was to specify a method for exchanging messages. Security via encryption or cryptographic authentication was left for different protocols. For instance, the earliest email implementations transmitted unencrypted plaintext messages, however mail encryption and information integrity companies are actually offered on the transport layer utilizing the TLS protocol.

Encrypting SMTP information over TLS supplies assurance that messages will not be accessible to attackers in transit, but it surely supplies no assurance that these messages originated from the obvious supply. Individual messages could also be digitally signed and encrypted by the sender, utilizing protocols corresponding to Secure/Multipurpose Internet Mail Extensions (S/MIME) or Pretty Good Privacy (PGP), however these protocols solely authenticate the sender and say nothing about whether or not the messages have been despatched by a mail server approved for the sending area.

An additional complication — and a part of the rationale safety is saved separate from mail supply — is that email safety mustn’t negatively have an effect on email supply. While defending towards email forgery is vital, it needs to be carried out in a means that does not degrade supply of respectable messages.

What are the threats from unauthenticated email?

Without email validation or authentication, all incoming email is handled as respectable. This permits the next varieties of assault:

  • Spam is when spammers ship undesirable email to advertise an in any other case respectable product, however extra typically, spam is used to advertise scams, collect info or assault the email infrastructure of the focused group to disrupt email companies.
  • Spoofing is a way email hackers use to persuade recipients they’re speaking with a respectable sender. Business email compromise and whaling attacks typically rely upon spoofed email.
  • Phishing is a way that makes use of email to control recipients into taking motion that furthers the attacker’s objectives. Phishing assaults could immediate victims to open malicious software program or authorize improper funds, for instance.

When used collectively, DKIM, SPF and DMARC allow email senders and recipients to considerably reduce the threats carried by spoofed or in any other case illegitimate email. DKIM works finest when email servers can authenticate the digital signatures on particular person emails utilizing the email sender’s public DKIM key.

What is DKIM?

The DKIM protocol, outlined in Internet Engineering Task Force RFC 6376, DomainKeys Identified Mail (DKIM) Signatures. When DKIM is carried out, a domain-owning entity can declare duty for that area by signing all outgoing messages with a public key related to the area. DKIM signatures are included into the message headers of authenticated email; they aren’t beneath the management of the particular person sending the mail.

DKIM signatures are separate from different varieties of message-signing protocols, corresponding to PGP or S/MIME. Those protocols allow customers to signal or encrypt particular person messages, however when DKIM is in use, all messages — together with these signed or encrypted individually by the senders — may be authenticated as coming from a licensed mail server.

In circumstances the place a consumer indicators email with PGP or S/MIME, these signed messages are themselves digitally signed utilizing the DKIM public key. This provides the receiving mail server a mechanism to authenticate the message as being despatched from a licensed area, subdomain or IP handle with DKIM, whereas additionally giving the particular person receiving the email a strategy to authenticate the contents of the message as originating from the one who despatched it.

DKIM, SPF and DMARC work collectively to offer an important technique for shielding email customers from spam, spoofing and phishing. When used collectively, email-sending organizations have the means to do the next:

  • embrace a digital signature within the header of outgoing messages, utilizing DKIM records;
  • establish approved mail servers for a site, subdomain or hostname, utilizing SPF records; and
  • notify receiving mail servers the best way to course of email from a site or hostname when it’s obtained from an unauthorized server or when the digital signature fails to authenticate, utilizing DMARC.

All three of those protocols use DNS TXT records to retailer details about the email servers that serve a site (SPF), how email from these servers may be authenticated (DKIM), and what to do when email is obtained from unauthorized servers or when messages fail to authenticate (DMARC).

Setting up a DNS document for email authentication utilizing any of those protocols is normally performed by area directors. Email receivers can do a DKIM test on inbound email to authenticate messages utilizing the sending area’s public key. The DKIM test is completed utilizing a DNS lookup, which verifies a DKIM document exists for the area and then validates the email by checking the message’s digital signature.

How does DKIM shield towards spam and phishing?

When used with DMARC and SPF, DKIM permits email-receiving organizations to reduce or stop spoofing, phishing and spam by resolving the next questions:

  • How can particular person email messages be authenticated? DKIM records present a public key, which supplies email-receiving organizations a strategy to authenticate particular person email messages.
  • Who is allowed to ship email for a site? SPF records establish the domains and IP addresses of email servers approved to ship mail for the related area.
  • What needs to be performed when email is shipped from an unauthorized area? DMARC records specify what to do with an email message despatched from an unauthorized email server primarily based on the SPF document for the area.

When an email-sending group publishes its public key in its DKIM document, it affords email-receiving organizations a way for flagging email and not using a DKIM signature or with a DKIM signature that fails to correctly authenticate.

DKIM, SPF and DMARC all rely upon DNS to publish and distribute authentication info for the sending area, so you will need to perceive how DNS TXT records are created and added. In most circumstances, including a DNS TXT document for these protocols ought to solely be performed by somebody with authority for the sending area’s DNS records.

DKIM works when an email server receives messages from an email sender. If the receiving email server helps DKIM, it queries DNS for the area specified within the return-path handle within the message header. If a DKIM document exists for the area the mail is being despatched from, that document consists of the general public key wanted to authenticate the incoming message.

How to implement DKIM

Smaller organizations and people that use email service suppliers to ship and obtain email can test with their suppliers to make certain their email servers implement DKIM. Most giant email service suppliers use DKIM, SPF and DMARC to limit email forgeries, email spoofing and different malicious or undesirable email.

Implementing DKIM is normally only one facet of a bigger effort to authenticate email. While DKIM can be utilized by itself, it’s far more efficient to deploy DKIM records together with SPF and DMARC records. This permits a corporation to specify approved emails with SPF and directives for correct dealing with of unauthenticated emails with DMARC.

Organizations that need to shield their domains utilizing DKIM, SPF and DMARC normally roll out their email authentication efforts progressively and in live performance. The area proprietor should take the next steps:

  1. Publish DNS TXT records for every protocol beneath the email sending area.
  2. Configure email servers for the area to assist every protocol and take acceptable motion when email is authenticated or fails to be authenticated.

Gradual implementation normally means taking the next steps:

  1. Publish a DMARC document that specifies no motion or solely a request for reporting on messages which can be obtained and undergo the authentication course of. This permits the area holder to find out whether or not the DMARC directions are legitimate and relevant solely to messages that fail to authenticate.
  2. Publish DKIM and SPF records for the area with the impartial DMARC document. During the email authentication rollout, this permits the area administrator to find out that the records are correctly utilized and will likely be efficient for decreasing cast email.
  3. Update DKIM, SPF and DMARC records to use guidelines for limiting probably dangerous email and discarding unauthenticated messages.
  4. Review rollout processes, and confirm that implementation has been efficient at decreasing unauthorized or unauthenticated email, whereas not affecting email deliverability.

DKIM authentication is best when it’s deployed together with DMARC, which establishes the area proprietor’s insurance policies for dealing with unauthenticated email despatched from the area. If DMARC will not be carried out, organizations that obtain unauthenticated email haven’t got a transparent path to report these messages, however they might nonetheless have their very own insurance policies for rejecting or accepting unauthenticated mail.

DKIM selectors

While a single area could solely have one SPF document posted in DNS, area homeowners should use completely different public key pairs for various email servers working on behalf of the identical area. Different public keys for various servers are recognized by a DKIM selector, a string added to the identify of the DKIM DNS document that differentiates between a number of approved email servers and their public signing keys.

All DKIM DNS records are named utilizing this format:

DKIM selectors are helpful for giant organizations which have operations in a number of places and ship email from every location. A selector can also be used for email despatched on behalf of the area proprietor, corresponding to email campaigns run by a third-party supplier or for email despatched by an email service supplier. The following are examples of such selectors:

In the above instance, a corporation primarily based in India specifies separate DKIM signing keys printed for mail despatched from a Kolkata mail server, from a Mumbai mail server and from Google’s Gmail email service.

DKIM signature headers

When DKIM is in use, all email despatched by an email server within the sender’s area is digitally signed. The DKIM signature is then included into the header of the signed email. The DKIM signature consists of tags, that are informational parts that carry related details about the digital signature on the email, in addition to info associated to sender’s email server. These tags embrace the next:

  • Version refers back to the model of DKIM carried out by the sender. Currently, the one legitimate worth for model is 1 for DKIM model 1.
  • Signing area identifier (SDID) is the originating area identify claimed within the originating email header. This worth identifies the entity claiming to personal the area and is used together with the DKIM selector worth to find out the identify of the DNS TXT document containing the area’s signing key.
  • DKIM selector is a string appended to the originating area to establish the DNS document related to a specific email server or service. See DKIM Selectors part above for extra info.
  • Header fields is an inventory of the header fields included within the hash of the message. The tag h= is adopted by the precise area names separated by the string “ : ” (), with the semicolon character “;” terminating the record.
  • Email physique hash (bh) is the cryptographic hash of the chosen header fields and the physique of the message. This is the worth that needs to be produced by the recipient when an inbound message is processed by the receiving DKIM implementation.
  • Algorithm is the digital hashing algorithm used to generate the digital signature within the DKIM header. Support for the RSA SHA-256 algorithm is required for all DKIM implementations and was initially beneficial for use for many functions. The RSA-SHA1 algorithm can also be supported. A brand new signing algorithm, Ed25519-SHA256, was specified to be used with DKIM signatures in RFC 8463.
  • Digital signature is the precise digital signature generated by the sender. This signature is generated by hashing the chosen header fields and the physique of the message and then digitally signing that hash.

Here is an instance of a DKIM signature header, together with the primary string, DKIM-Signature, which is required for these headers:

DKIM-Signature: v=1; a=rsa-sha256; s=mumbai;; q=dns/txt;
h=Received : From : To : Subject : Date : Message-ID;

The tags used on this instance are defined within the desk under.

Tag Notes


DKIM model 1


Algorithm used to generate the message signature


DKIM selector;

The SDID that’s claimed by email sender


Query technique to entry DKIM document. Currently, the one legitimate technique is utilizing DNS to retrieve a TXT document.

h=Received : From : To : Subject : Date : Message-ID;

Headers included within the hash worth of the message


The hash worth of the message and headers


4nujc7YopdG5dWLSdNg kHxt1IrE+NahM6L 6xNAZpOPr+/LbvaHut



The message digital signature. When decrypted utilizing the sending area’s public key, it ought to return the hash worth (bh).

When an email server that helps DKIM receives a DKIM signed message, it does a DKIM question to amass the general public key related to the message signature and then makes an attempt to authenticate the message.

DKIM records

Sending DKIM-authenticated email requires a DKIM document in a DNS TXT document. Adding DNS records is normally restricted to 1 or a small group of approved workers members and shouldn’t be performed evenly due to the potential for destructive affect on a corporation’s web accessibility.

The first step when making a DKIM document is the document identify. The easiest DKIM document seems one thing like the next:


The document is identifiable as a DKIM document due to the _domainkey prefix adopted by a interval. In this case, all DKIM email can be authenticated towards the general public key printed within the document, and there would solely be one email server for that area.

In circumstances the place a number of email servers are in use, email directors have to decide on between copying the personal (secret) key to all servers or creating completely different public key pairs to be used on completely different email servers. The latter selection is preferable for safety causes, because it restricts the distribution of an especially delicate personal key.

DKIM selectors allow email directors to publish completely different DKIM records which can be differentiated by the DKIM selector identify. Continuing from the instance listed above of a corporation with email servers in each Mumbai and Kolkata, India, two DKIM records are created utilizing the DKIM document names:


A easy DKIM document seems just like this:

v=DKIM1; t=y;

Only two choices are necessary: the model of DKIM being supported and the general public key being utilized by the server sending email on behalf of the area specified within the DKIM document identify.

The non-compulsory testing parameter, t=, has two legitimate values, n and y, which specify whether or not the DKIM document is being examined (t=y;) or is in manufacturing (t=n;).

Related Posts