What is DKIM and how should you go about implementing it to secure your emails?
DKIM stands for DomainKeys Identified Mail.
It is a protocol to authenticate emails to prevent spoofing or phishing. It acts like a digital signature - verifying the authenticity of the mail being sent, and confirming that the content was not interfered with in transit.
Generating the Key
How you create and implement DKIM will vary depending on your email provider so we would recommend that you consult their documentation before attempting to generate a DKIM record. Look in your email administration panel, or contact your provider for support.
Adding to the DNS record
You should add the DKIM signature to a TXT record in your DNS record that includes
-
selector
-
version
-
key type
-
public key
The key in your DNS is how recipients will verify the email is from you and hasn’t been tampered with in transit, so make sure you haver all the components in place correctly. DKIM records should follow the guidelines set out in RFC 6376
Your DKIM record should have the record name in the following format :
[selector]._domainkey.[domain]
And the values
v=dkim1, k=rsa
Once applied it should look like this:
v=DKIM1; k=rsa; p=[public_key]
Applying DKIM to your email
How your DKIM record is applied to your email will vary, and you should check whether your DKIM will be applied by your email server or your filtering service. Whichever service is applying the DKIM, you should consult their documentation for any implementation guidance.
DKIM should be the last addition to a message, and all additions should be made prior to DKIM being applied. If you are using scanning services on outbound email, make sure that you have configured these to operate in a way that adds anything after the DKIM (such as applying a disclaimer line to the email body) as this will have the effect of breaking the DKIM integrity and preventing recipients from verifying the email’s integrity.