Spam has become a daily nuisance for everybody. The number of spam e-mails can overwhelm our inboxes, reducing the space and chances for important messages to be received. Besides, they are a constant and real threat to our security. Scams, phishing attacks, malware can be attached to them, risking our personal information, business, and systems.
Fortunately, developers constantly improve and innovate with tools to defeat, or at least mitigate, these threats. DKIM is an example.
DomainKeys identified mail, or DKIM by its initials, is a TXT DNS record type that allows domains to prove that the e-mails sent from them are legit via cryptographic authentication. On the receivers’ side, the DKIM record works during domains’ DNS queries. It verifies senders through the information set on the header.
DKIM record is a way to prove e-mails can be trusted.
A domain owner, who is in charge of its DNS records, publishes a public key (cryptographic). It’s contained in a modified TXT record. It will be the mean for recipients to check the authenticity of the e-mails’ sender.
Every time an e-mail is sent by a mail server (sender), it adds a DKIM signature into the e-mail header. That signature is a hash value, a unique textual string encrypted through a private key that only the sender has. The header registers information about the way the signature was created, and it includes two cryptographic hashes. One belongs to the message body and the other to the specified headers.
When the receiver e-mail server gets an e-mail, it triggers a DNS request to find the public key from the sender domain. The DKIM signature offers data to find that key.
The sender e-mail server will find and decrypt the DKIM signature of the e-mail to its primary hash values. Those will be in contrast with the values gotten on the received e-mail. If there’s a match, DKIM will authenticate them as legit.
Every DKIM record holds inside the public key for the receiver to verify the e-mail and different signature values to execute its functions.
v – DKIM’s version.
a – it refers to the algorithm used to sign (rsa-sha1 or rsa-sha256).
b – signature.
d – domain name.
h – header fields. Here header fields signed are registered.
c – message canonicalization.
bh – body hash.
l – body length.
i – identifier (user or agent).
q – DKIM’s default query method, DNS/TXT.
s – selector.
t – signature timestamp.
x – expiring time for the signature.
z – header fields copied.
DKIM is easy to enable. It does not need three-party certification to work. It’s a self-certificate method.
Protect your users from e-mail forging. DKIM secures e-mails that your business sends from its e-mail server not to be forged or altered on transit. DKIM is a good tool for your business to prevent spoofing, phishing and to build a trustable reputation.
DKIM doesn’t affect e-mails bodies. The information to authenticate and verify is added to the header.
It works on domain names’ level. This means the DNS administrator signs all the outgoing e-mails. Not every single user has to do it when sending a message.
It’s required to improve security through DMARC. There are more security tools that can improve your shield power, like DMARC. And to have a DKIM record is the basis for it to work.
When it’s about security and the positive reputation of business, investments are totally worthy. DKIM is a useful record that, without doubt, you should enable on your domain. The benefits will spread to your business and clients. You can kill two birds with one stone!