allanwallace.uk : Blog
A beginners guide to DKIM


What is DomainKeys Identified Mail? ( What is DKIM? )

DomainKeys Identified Mail - or as it is better known DKIM - was designed back in the early 2000s in order to help a domain's owner prove it's genuine emails were genuine and had not been tampered with.


What does DKIM do?

DKIM is a method for digitally signing emails so the recipient's email service can automaticaly confirm that the emails are authentic.

Much like SPF DKIM is a pretty good solution for a specific problem, and just like SPF as part of a solution to reduce the risk of your domain being abused by spoofed emails, CEO scams, Invoice Fraud etc, it has it's uses.


Remember:
"as part of a solution".


What DKIM does: (In theory)

DKIM digitally signs your outbound emails using a combination of a digital key (private key) and maths based on the data in your email, this digital signature can be checked by the recipient's email server against a digital key you publish (public key) to automatically check the email is genuine.


Notes:

• DKIM does not encrypt your email.
• DKIM on it's own does not prove your emails are genuine.
• DKIM has modest additional administrative overhead at implementation or update and additional bandwidth / resources utilisation.

In essence, that's it, that's DKIM.



How to implement DKIM:

0 - you implement SPF. You have implemented SPF right?.
(Ok, you don't NEED to implement SPF, but if you are going down the DKIM route, you probably have SPF already and you probably want DMARC too).

1 - Choose an email service provider / setup a mailserver that supports DKIM.
2 - Generate a pair of DKIM keys, one public, one private.
3 - Publish the public key in DNS.
4 - Wait for DNS propagation.
5 - Configure your email service provider / mailserver to enable DKIM and start signing your emails with the private key.
6 - Test and confirm working.

7 - Implement DMARC.
(Ok, you don't NEED to implement DMARC, but as per point 0...)



So, that's pretty much it for this beginners guide. Needless to say there are a few caveats, and you may wish to think twice about signing emails with per-user-DKIM keys or per-email-address-DKIM keys, but it can be done.
One caution with this is that per-user-DKIM keys or per-email-DKIM keys may well count as "PII Data" under GDPR.

I have configured per email address DKIM with postfix, but that is outside of the scope of this article.


Simply put, when combined with SPF and DMARC, DKIM can go a long way towards proving your emails are 100% genuine
- and faked ones from others are 100% fake.

This is only part of the solution, and is simplifying somewhat, but that is in essence what DKIM is.

Phishing is a risk. CEO fraud is a risk. Why make it easy for criminals and spammers?


Last Updated 2019/06/19 00:12 CET.

Cookie Policy
Privacy Policy
Security Policy
Terms & Conditions

© 2019 Allan Wallace