DKIM record, email protected by a chain

DKIM: Understanding and Implementing This Essential Tool to Secure Your Emails

Updated the:

Email remains one of the most widely used communication tools in both professional and personal spheres. However, it is also a prime target for cyberattacks, particularly phishing. To safeguard your communications, implementing DKIM (DomainKeys Identified Mail) is critical.

  • What exactly is DKIM?
  • Why is it essential for your emails, and how can you set it up?

This article guides you step by step.

What is a DKIM Record?

DKIM is an email authentication method that adds a digital signature to outgoing messages. This signature ensures that the recipient can verify the email originates from the legitimate domain and has not been altered during transmission.

Think of it as leaving a fingerprint on every email. If the fingerprint doesn’t match, the recipient can assume the email might be spam or fraudulent.

For DKIM to function properly, it must be configured on two levels:

  • On the sending email server: The private key is used to sign the messages before they are sent.
  • In the domain’s DNS zone: The corresponding public key is published in the DNS zone, enabling receiving servers to verify the signature against the public key.

These two components (private and public keys) are essential for DKIM to ensure the security and authenticity of your emails.

DKIM vs. SPF

Although DKIM and SPF are both e-mail protection mechanisms, they work in very different ways.

The SPF record is used to check whether the sending server is authorized to use your domain name to send e-mails. In other words, it validates the authorization of the sending server.

The DKIM record, on the other hand, verifies the integrity of the content and the authenticity of the sending domain, ensuring that the message has not been altered in transit.

The two types of record should therefore be used together, to minimize the risk of an ill-intentioned person using your domain name to send fraudulent e-mails.


Why is DKIM Important for Businesses and Individuals?

Implementing DKIM provides several key benefits for the security and reliability of your emails.

Enhance Email Security

Cybercriminals often use spoofed emails to carry out phishing attacks or scams. By authenticating legitimate messages, DKIM prevents such malicious practices, significantly reducing the risk of your clients or partners falling victim to domain impersonation.

Improve Email Deliverability

Email providers like Astral Internet, Gmail, Outlook, and Yahoo assign better reputations to domains using DKIM. As a result, your emails are less likely to end up in spam folders. This improves deliverability and ensures your messages reach their intended recipients.

Complementarity with SPF and DMARC

DKIM is part of a trio of key technologies that form a comprehensive email authentication strategy alongside SPF and DMARC:

  • SPF: Verifies that the sending server is authorized to send emails for the domain.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Combines SPF and DKIM results to specify policies for handling non-compliant messages. It also allows domain owners to receive reports on attempted domain spoofing.

Together, these three technologies create a triple-layer defense against phishing, spam, and impersonation attacks, strengthening the security of your communications and boosting recipients’ trust in your emails.

Compliance with Regulations

Laws like the GDPR (General Data Protection Regulation) or Canada’s Anti-Spam Legislation encourage businesses to adopt secure practices to protect user data. Implementing DKIM helps comply with these regulations by ensuring the integrity and authenticity of exchanged emails.

In summary, adopting DKIM is essential to secure your electronic communications, improve your message deliverability, and meet legal data protection obligations.


How Does DKIM Work?

DKIM relies on asymmetric cryptography, which uses a pair of keys to secure communications:

  • Private key: Used by the sending server to sign emails.
  • Public key: Published in the domain’s DNS zone and used by the recipient to verify the signature.

The principle of asymmetric encryption is that one key can encrypt a message, but it cannot decrypt it. This means that even though the public key is visible and accessible to anyone in the DNS zone, it cannot reveal the private key.

This ensures that once a message is signed, it becomes impossible for a malicious actor to impersonate the sending server. Security is thus reinforced since only the private key can sign messages, while the public key only verifies the signature without compromising the private key.

The Different Stages of the DKIM Process:

  1. DKIM signature creation: When an e-mail is sent, the sending server generates a digital signature. This signature is a hash based on the message content and headers, which is then encrypted with the domain’s private key.
  2. Publication of the public key in DNS: The domain publishes the public key as a TXT record in its DNS zone. This gives receiving servers easy access to the key for checking incoming messages.
  3. Verification by the receiving server: When the message is received, the server retrieves the public key from the DNS zone to decrypt the signature. It then compares the result with the message content. If the two match, the message is validated as authentic and unaltered.
See a practical example of asymmetric cryptography

Asymmetric cryptography is based on a pair of keys: a private key, kept secret, and a public key, accessible to all. To illustrate the concept, here’s an example you can reproduce on paper to understand how it works.

We will use the word “Astral Internet” as the message to be encrypted and apply the following rules:

  • Public key: used to encrypt the message, its value is 2.
  • Private key: used to decrypt the message, its value is ½.
  • Each letter of the alphabet is given a number: A = 1, B = 2, …, Z = 26, A = 27, B = 28, etc. (numbering is circular).
  • To encrypt: multiply the letter number by the public key.
  • To decrypt: multiply the encrypted number by the private key.

Step 1: Encrypt the Message with the Public Key

Let’s take each letter of the word “Astral Internet” and apply the public key 2:

Astral :

  • A (1 × 2) = 2 → B
  • S (19 × 2) = 38 → M (38 – 26 = 12)
  • T (20 × 2) = 40 → O (40 – 26 = 14)
  • R (18 × 2) = 36 → K (36 – 26 = 10)
  • A (1 × 2) = 2 → B
  • L (12 × 2) = 24 → X

Internet :

  • I (9 × 2) = 18 → R
  • N (14 × 2) = 28 → B (28 – 26 = 2)
  • T (20 × 2) = 40 → O (40 – 26 = 14)
  • E (5 × 2) = 10 → J
  • R (18 × 2) = 36 → K (36 – 26 = 10)
  • N (14 × 2) = 28 → B (28 – 26 = 2)
  • T (20 × 2) = 40 → O

Encrypted text: BMOKBX RBOJKBO

Step 2: Decrypt the Message with the Private Key

Let’s take each letter of the word “BMOKBX RBOJKBO” and apply the public key ½:

BMOKBX :

  • B (2 × ½) = 1 → A
  • M (38 × ½) = 19 → S
  • O (40 × ½) = 20 → T
  • K (36 × ½) = 18 → R
  • B (2 × ½) = 1 → A
  • X (24 × ½) = 12 → L

RBOJKBO :

  • R (18 × ½) = 9 → I
  • B (28 × ½) = 14 → N
  • O (40 × ½) = 20 → T
  • J (10 × ½) = 5 → E
  • K (36 × ½) = 18 → R
  • B (28 × ½) = 14 → N
  • O (40 × ½) = 20 → T

Deciphered text: Astral Internet

This example shows how a public and private key pair can be used to securely encrypt and decrypt a message. The public key (available to all) is used to transform a message into an unreadable version, while the private key (secret) is used to retrieve the original text.


How to Set Up DKIM for Your Domain?

The complexity of configuring DKIM depends on the type of email server you use. However, for most users, the process is relatively straightforward.

Generate a DKIM Key

First of all, you need to generate an asymmetric cryptographic key. A 2048-bit RSA key is recommended for maximum compatibility with different servers.

Two methods are available to obtain an asymmetric key:

  • Use an integrated tool: If your hosting provider uses a control panel such as cPanel, SmarterMail or another, it usually offers a tool for automatically generating DKIM keys. This option is ideal for those who prefer a quick and easy solution.
  • Using server commands: For unmanaged or dedicated servers, you can use online tools or scripts to generate private and public keys. OpenSSL is a commonly used tool for this purpose, but this method requires advanced technical skills.

Publish the Public Key in DNS

Once the key has been generated, the public key must be accessible in your domain’s DNS zone. This is essential so that receiving e-mail servers can decrypt the message signature. To do this :

  1. Access your DNS manager: Log in to your domain’s DNS management interface.
  2. Add a TXT record: Create a new record containing the public key details.

Example of a DKIM record:

default._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BA..."
  • default is the selector. It may vary according to your configuration.
  • v=DKIM1 indicates the DKIM version.
  • k=rsa specifies the encryption algorithm used.
  • p=… contains the public key encoded in Base64.

Activate DKIM on the Sending Server

Next, you need to configure your sending server with the private key. If set up correctly, the server will add an encrypted signature with your private key and selector to every e-mail sent.

With most online hosts, this step is automated, so you don’t have to worry about it. However, if you use your own sending servers such as Postfix, Exim, MailEnable, etc., you’ll need to modify their configuration so that they sign outgoing e-mails.

Test the Configuration

Finally, it’s crucial to check that your DKIM configuration is working properly.

To test:

  • Use online tools: Sites like Mail Tester or DKIMCore allow you to check the validity of your DKIM record.
  • Send a test e-mail: Send yourself a test message and analyze the header to ensure that the DKIM signature is present.

By following these steps, you can ensure the correct configuration of DKIM on your domain, reinforcing the security and reliability of your electronic communications.


Conclusion

Email authentication with DKIM is a crucial step for any organization wishing to secure its electronic communications. By combining DKIM with SPF and DMARC, you can put in place a triple defense against phishing attacks and improve your domain’s reputation with e-mail providers.

Don’t underestimate DKIM’s impact on the deliverability and security of your e-mails. Start configuring it today to protect your users and your data.

Need help? We’re here for you!

If you have any questions or are having trouble configuring DKIM, don’t worry. Our technical team is always on hand to help. Simply send us a request via a support ticket, and we’ll be delighted to help you secure your e-mails and optimize your configuration.

Protecting your communications has never been easier, with our support!


Commentaires

Leave a Reply

Your email address will not be published. Required fields are marked *