How can you tell if an email is authentic? First, it must be coming from the sender it claims it came from. Second, the content of the email must not have been tampered with during transmission. Initially, it was easy to verify the authenticity of an email through visual inspection, but with time, spammers and hackers' methods have become more sophisticated. For instance, email addresses, display names, and message content can now be convincingly spoofed, making it difficult for email recipients to authenticate received emails through visual inspection.
The good news is that some of these challenges can be reduced using DomainKeys Identified Mail (DKIM), a well adopted standard used by millions of domain owners and nearly all major email receivers. But what exactly is DKIM, and why is it important?
What is DKIM?
DKIM allows email senders to attach a digital signature to each email they send that allows recipients to verify that
- the message has not been tampered with, and
- that it originates from a given domain name.
DKIM uses public key cryptography to sign messages. The signer - typically the mail server that actually sends out email messages for the domain - calculates a digital signature using a private key that only the signer knows. A public key is published by the domain owner in the Domain Name System records for the domain, allowing the recipient of the email message to verify that the digital signature generated by the sender is authentic. It is computationally infeasible for anyone to generate the correct signature unless they are in possession of the private key, and it’s impossible to generate the private key if all you know is the public key.
Importance of DKIM
As mentioned above, the purpose of DKIM is to verify that the party claiming to have sent an email is indeed the one that sent it. It can also be used to determine if an email was altered during transmission. DKIM provides senders with three key benefits:
Using DKIM means your email messages are less likely to be sent to the junk folder.
Inbox providers like Google and Microsoft use DKIM signatures so that they can assess the trustworthiness of domains. Domains that always send good email (and no spam) are more likely to get their messages delivered to the inbox. Without a DKIM signature, the inbox provider can’t assess whether your message came from a server that is authorized to send email for your domain, or from an imposter. With no ability to confirm the authenticity of the domain, inbox providers must instead rely on the IP address and other characteristics like message content to determine trustworthiness, increasing the likelihood that your email will be sent to the junk folder.
Using DKIM lets you receive feedback about your domain’s email so that you can improve delivery performance.
Large email receivers provide “feedback loops” that you can subscribe to to receive information about the email you are sending. Prior to the arrival of DKIM, feedback loops were limited to providing insights about IP addresses such as the number of messages from an IP that a given receiver had chosen to block. With DKIM, feedback loops can provide insights about your domain - separate from the IP addresses of your mail servers. Some feedback loops only work with domains, such as the Yahoo feedback loop and the Google feedback loop.
Using DKIM lets email recipients trust your email more.
A valid DKIM signature lets the recipient know your message came from your domain name. If you use DKIM and someone receives an email message from an attacker who is spoofing your domain, their email client can show them a warning, allowing them to avoid falling victim to a phishing attack or business email compromise attack.
What DKIM Can’t Do
Although DKIM is essential, it’s not sufficient to cover all types of email spoofing attacks nor to communicate your authentication preferences to email recipients. In addition to DKIM, you should also implement Sender Policy Framework (SPF) to authorize IP addresses to send for your domain. And, you should publish a Domain-based Message Authentication, Reporting and Conformance (DMARC) record in the DNS to specify what you want email receivers to do when they receive a message that is not signed properly (or at all) with your DKIM key, or that originates from an IP address that is not authorized in your SPF record. DMARC and SPF are covered in these articles: How to set up your SPF Records, DMARC with MailChannels
Additionally, DKIM cannot prevent someone from spoofing your organization using a so-called “lookalike” domain. For example, if your domain is “example.com”, an attacker can send messages from the similar-looking “example.net” and in that way potentially convince recipients that they’re receiving valid messages from your organization. Some vendors now sell lookalike domain protection services, but this technology is in its infancy and is not yet widely available. If your brand is important to you, you may wish to engage with an enterprise-grade domain name registrar who will also look out for lookalike domains as part of their service offering. These brand protection services can be expensive, but are really the only option for brands that have a high exposure to impersonation risk, such as banks and healthcare providers.
The Bottom Line
If your goal is to get email delivered to the inbox and to garner trust with email recipients, DKIM is a fundamental technology that you must implement for your domains. In addition to DKIM, you should also implement SPF and DMARC to complete your domain authentication framework. Additionally, it’s a good idea to sign up for domain-based feedback loops for Yahoo, Google, and others so that you can receive feedback about the email you send.