DKIM - Postmaster+ by OptiPub

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiving mail server to check if the email was actually sent by the domain it claims to have been sent by and if the content was tampered with during transit.

DKIM works by adding a digital signature to the headers of an email message. This signature is generated using a private key that only the sender knows. When the email is received, the receiving mail server uses the corresponding public key, which is published in the sender's DNS records, to verify the signature and confirm that the email has not been modified.

Here's a simplified overview of how DKIM works:

  1. The outgoing mail server generates a unique hash of the email content.

  2. This hash is then encrypted with a private key to create a digital signature. The signature is included in the email headers.

  3. The email is sent to the recipient's mail server.

  4. The recipient's mail server looks up the sender's public key in their DNS records.

  5. It then decrypts the digital signature back into the original hash and generates its own hash of the received email content.

  6. If the two hashes match, the email has not been modified during transit and the email is marked as authentic.

The main benefits of DKIM are:

  • Authenticity: It verifies that the email was actually sent by the domain it claims to be sent by.

  • Integrity: It ensures that the email content was not tampered with during transit.

  • Reputation: It can help build the domain's reputation over time, as it shows that the domain is not being used for spam or phishing.

Like SPF, DKIM is an important tool in the fight against spam and phishing. However, it's best used in conjunction with other methods, like SPF and DMARC (Domain-based Message Authentication, Reporting, and Conformance), as each method addresses different vulnerabilities.

An important aspect to consider when constructing an SPF record is the DNS lookup limit. SPF imposes a limit of 10 DNS lookups per SPF check. This limit is meant to prevent excessive resource consumption and potential denial of service attacks.

When an email is received and an SPF check is performed, each "include", "a", "mx", "ptr", and "exists" mechanism, as well as the "redirect" modifier used in the SPF record of the incoming email, counts as a DNS lookup. However, the "ip4" and "ip6" mechanisms do not require DNS lookups.

If the SPF record for a domain requires more than 10 DNS lookups, receivers checking the SPF may stop the SPF evaluation and return a 'permerror' (permanent error).

This limit can be quickly exhausted if your SPF record includes other domains, especially if those domains also use SPF with their own includes. Therefore, it's important to ensure that your SPF record is carefully constructed to stay within this limit.

DKIM Configuration Options

Component Description Example
v (Version) Identifies the version of DKIM specification being used. v=DKIM1
k (Key Type) Defines the encryption algorithm of the public key. k=rsa
p (Public Key) The public key data which will be used by the receiving server to decode the DKIM signature. p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
s (Service Type) Defines the service types for which the record can be used. It is typically "*". s=*
t (Flags) Used to set certain flags. Common flags are "y" (testing mode) and "s" (strict mode). t=s
h (Hash Algorithm) Defines the hash algorithm being used to encrypt the message body and headers. h=sha256


How to setup DKIM

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email was actually sent and authorized by the owner of that domain. Here's how you can set it up:

  1. Generate a DKIM key pair: The first step in setting up DKIM is to generate a DKIM key pair. This consists of a private key that stays on your server and a public key that you publish to your domain's DNS. The process for generating the key pair depends on your mail server or email service. If you're using a service like Google Workspace or Office 365, they'll generate the key for you.

  2. Create a DKIM DNS record: You'll need to create a TXT record in your DNS settings. The name of the record is usually something like selector._domainkey, where "selector" is a name you choose. The value of the record is the public key that you generated in step 1, formatted like this: v=DKIM1; p=your_public_key_here. If you're using an email service, they'll usually provide the exact value for you to paste in.

  3. Configure your mail server to sign messages: Your mail server or email service needs to be configured to sign outgoing messages with your private key. The process for this varies depending on your server or service. If you're using an email service, they'll usually handle this for you once you've set up the DNS record.

  4. Test your DKIM setup: You can send a test email to a service like mail-tester.com, which will check your DKIM setup (as well as SPF and DMARC). If you're using an email service, they'll often provide a way to test it as well.

  5. Monitor your DKIM setup: Like SPF, it's a good idea to regularly check your DKIM setup to make sure it's still working correctly, especially if you change email services or servers.

Setting up DKIM can be a bit more complicated than SPF, especially if you're not using an email service that handles most of the setup for you. However, it's a valuable tool in the fight against email spoofing and phishing, so it's well worth the effort.

Remember that DKIM is just one part of a complete email authentication setup. For best results, you should also set up SPF and DMARC.