Fighting spam and phishing emails is a never-ending battle, in which one of the key players is the DKIM record. It will guarantee the sender of a main, based on the link with the domain name, and will serve as proof that the email was not forged on the way.
What is the DKIM record?
The DKIM (Domain Keys Identified Mail) record is a DNS record (TXT DNS record) that a DNS administrator of a domain uses to set proof that the emails sent from the domain are legit through cryptographic authentication. On the other hand, the receiver will also use the DKIM record by performing a DNS query on the domain to verify the sender using the information in the header.
Inside the DKIM record, you will see the public key that the receiver will use to verify the message.
When you sign an email with DKIM, you will add a DKIM signature header and encrypt it. The sending email server is signing the emails with its private key, and the receivers will unlock them with the public key.
The process will guarantee that the message was not spoofed on the way and that it can be trusted.
Inside the DKIM, you will be able to use several tags:
v – version of the DKIM.
a – specifies the signing algorithm used. It supports rsa-sha1 and rsa-sha256.
b – the signature.
bh – body hash.
c – Message canonicalization.
d – stands for the domain name.
h, header fields – it is a list of those header fields that have been signed
i – User or agent identifier.
l – body length.
q – the default query method for DKIM is DNS/TXT.
s – is a selector.
t – signature timestamp.
x – the signature’s expiring time.
z – copied header fields.
Why use DKIM record for your emails?
- Stop email forging. DKIM will protect the emails that you send from your email server and stop bad actors from forging them on the way. The DKIM record provides the option to verify the emails when they arrive.
- Improve the domain’s reputation. You can provide more trust for your clients and visitors. With DKIM, there will be fewer phishing attacks that pretend to be coming from your domain, and your visitors will be safer.
- It is needed for using DMARC. DMARC is an additional security measure that uses not only DKIM but also SPF. It will improve the overall security of your email servers by providing reports and email authentication.
- DKIM is based on domain names, not on the complete emails. The DNS administrator is signing the outgoing messages, not each email user that is sending a message.
- DKIM is a self-certificated mechanism and does not require a Certification Authority (3-rd party). That makes the process easier.
- DKIM does not modify the actual body of a message. What it does is to put additional information into the header.
Now that you know what the DKIM record is, why do we need it, it is finally time to start using it. Combine DKIM record with SPF record and DMARC for the best result possible. Have better chances to send and receive emails freely.