DKIM for dummies: Everything about DKIM

Blog > Emails > DKIM for dummies: Everything about DKIM
DKIM for dummies: Everything about DKIM

DKIM is an email authentication standard that works by assigning a digital signature to messages sent from an email account. If the signature is valid, it allows the receiver to verify that the message sender and not someone pretending to be them, for example, through a phishing attack.

DKIM is one of the most important email authentication protocols. Most major email services support it (Mutant Mail enforces it), but many small businesses and home users may not be aware of its importance.

It is crucial to maintain a high level of security in an email account. If your account gets compromised and someone accesses your emails, they cannot use the information to send messages or read replies from other users.

The presence of DKIM in your email service will make it difficult for attackers to intercept and misuse messages that are being sent from your domain. Moreover, if your business has multiple domains, then it's possible to use a single DKIM key for all those mailboxes as well.

Let’s explore how this works in more detail.

DKIM how it works?

DKIM stands for Domain Keys Identified Mail. DKIM is a system that allows domain owners to verify their email server’s identity.

When a message is sent from your email account, you can use DKIM to encrypt and sign the contents of the message. After it has been signed, the content can be verified against a key stored on your domain, specifically in your DNS record.

The DKIM verification works on the principle of private/public key, a private key of DKIM pair sits on your email sending server and is used to actually sign the email. This signed value is embedded in the email itself as a header parameter and the public part of the key is used by the recipient server to match the signed value.

The value of a DKIM record in your DNS starts with v=DKIM1 followed by p option and your public DKIM key. As the DNS record of the domain cannot be altered by an unauthorized party, verification of email signatures cannot be spoofed.

Is DKIM worth it?

DKIM is used to authenticate email messages. Send email servers to sign their emails with DKIM keys to prove their identity and prevent SPAM, spoofing, and other unwanted email traffic.

Every account can have its own DKIM key for its own unique identifier in the form of a public/private key pair. The private key should be kept safe and secure because it’s the only thing that can sign the email to match DKIM public key in your DNS record.

In general, using DKIM saves time and money for small businesses and entrepreneurs as it prevents their email and domain reputation from harm and potential damages due to spoofing and phishing attack.

SMTP by itself is a very insecure protocol, which means any email server in the world can send emails on behalf of any domain. It's utilizing protocols like SPF, DKIM, and DMARC we ensure that we have authorized a sending email server on behalf of our domain to send emails or not.

How to DKIM record?

The first step is to generate a public and private key pair. Then you need to configure your email sending software to use the private key of the DKIM pair to start signing your every email automatically.

Next, you create a TXT record that contains your public part of the DKIM key pair in your domain's DNS record. Then, you just need to send an email message.

Finally, on the recipient email id, open the original email with header information and look for the header field "DKIM-Signature:"

What are DKIM keys?

DKIM keys are public/private cryptographic keys. They are used to verify the authenticity of an email message.

DKIM keys can be unique for each domain name, or account, or be shared among multiple, depending on what setup you have chosen to use.

These keys are different from the names that users use when they send emails, which is referred to as the From address, or in short, "from".

An email message can be verified by a recipient's mail server using a public DKIM key, present in your DNS record if it is signed with a private key on the sending mail server.

DKIM no key for signature: how to resolve?

DKIM is a system that helps verify email messages and ensure they are sent from the correct sender. It does this by ensuring email messages come from legitimate sources and have not been altered or intercepted in transit.

The DKIM protocol uses a public-private key system to accomplish these goals. One of the most important parts of DKIM is the “signature”, which consists of two components: the message header information and the public key.

When an email service receives an email with a valid signature, it can be sure it was sent by the intended recipient.

Unfortunately, if you don't use DKIM for your domain, you may see an error message when your email server tries to send an email: "This is not a valid signature".

The prime reason for this error is that your domain does not use DKIM for its email service. if you're already using DKIM for your domain's emails it's also possible for this issue to happen if there is a temporary DNS resolution failure. Temporary DNS failure errors are accompanied by dkim==temperror along with the "no key for signature" error.

DKIM message not signed: how to resolve?

Let’s say someone sends an email to your business that appears to be from you but is not signed with a DKIM signature. In this case, the email will be marked as “unverified” and your email service may not be able to validate the authenticity of the sender.

And as explained above, SMTP being an insecure protocol in itself allows any email server to send emails on behalf of any domain. So, if the authenticity of emails sent from your domain cannot be guaranteed, virtually anyone from their own server can spoof or impersonate your email id.

To resolve this, you need to generate private/public key pair of DKIM keys. Secure access to the private key and configure your email sending server to use it automatically for every email sent. Next, insert the public key into the TXT record type of your domain's DNS.

Finally, validate the header of an email sent from your server to check if it contains a header with key DKIM-Signature:.

DKIM unauthenticated mail is prohibited: what to do?

First of all, you should use DKIM in all your outgoing messages. DKIM is used to authenticate messages and makes it almost impossible to spoof or impersonate or tamper with emails sent from your domain.

If you don't have DKIM for your domain, then users can't trust that your email is authentic. If someone does manage to compromise your account and send out a message on behalf of your domain, the results can be catastrophic.

That's why some email servers have started to decline emails that are not DKIM signed. That means, instead of accepting the email a bounce back will be sent with the error "DKIM unauthenticated mail is prohibited".

Another reason for this error is that the DKIM public key present in your DNS record has issues.

Tip: DKIM record has to be in one line, and not separated by a new line.

So, back to chapter 101, we need to look into if DKIM has been set up properly for our domain and email sending server or not.

Route 53 DKIM too long: how to fix it?

One of the most common mistakes that small businesses make is failing to set up DKIM on their domain.

Sometimes the DKIM keys generated by a few providers are larger than 255 characters, and since, DNS protocol has a limit of 255 characters per string, we find ourselves in a bind on services like Route 53, where we receive an error "DKIM too long".

The solution is fairly simple for this one. As each TXT record can have multiple strings, each 255 characters long. You can split your DKIM with a single space at a limit of 255 characters and insert it.

Remember: the split has to be separated by a single space, and space only.

How to set DKIM for your email?

DKIM is not a difficult protocol to set up if you have a domain that’s hosted with a reputable email hosting provider. Some providers offer the ability to automatically configure DKIM for your account.

It can also be set up manually by following these steps:

No DKIM record found: how to fix it?

"No DKIM record found" message clearly states that your domain is missing the setup for DKIM authentication, or the DKIM has not been configured on it at all.

If you are unable to find a DKIM record for your domain, then you can create one yourself.

Simply follow the steps above for DKIM set up on your domain and you are good to go.

DKIM not authenticated: what to do?

If you don’t have DKIM enabled in your email service, you will see a ‘DKIM not authenticated’ message in the email headers.

You can manually set up a DKIM yourself if you are using the self-hosted email system. It's a two-step process where one part needs DNS entry to be added to your domain, and the other requires DKIM signing process to be enabled in your email sending software.

Alternatively, you could sign up for an alternative email service that offers DKIM as one of its features. We at Mutant Mail, enforce the best practice of SPF, DKIM, and DMARC as part of the domain onboarding process. This is a standard practice followed by major established email providers across the email industry. These options make it easier for small businesses and home users who want to take advantage of DKIM without the hassle of configuring and maintaining everything yourself.

DKIM without DMARC: Is it possible?

The most important part of an email authentication process is the hashing algorithm. For DKIM, this algorithm is SHA-256 with RSA encryption.

While the DKIM ensures that the content of the email was not tampered with, DMARC provides the action of what to do, in case of failure.

So, yes, it's entirely possible to use DKIM without DMARC. However, that's not something we recommend, nor you should do.

Think it like, a cop finding out you used a forged id, but then the law doesn't dictate what action the cop should take. Hence, leaving the decision to the recipient email service provider will result in inconsistent behavior across different providers.

DKIM without SPF: is it possible?

DKIM is not an alternative to SPF. In fact, DKIM can be used without SPF and in most cases used in conjunction with SPF.

SPF (Sender Policy Framework) is a method of verifying that the email being sent was authorized by the owner of the sending email address. This helps protect against phishing attacks.

While the SPF verifies the IP of sending email server, DKIM ensures the content of the email remains untampered. They compliment each other.

In fact, there are some genuine cases where SPF is bound to fail, like email forwarding where SRS protocols are involved instead of SPF making SPF alignment fail. In that case, DKIM can be a lifesaver.

Is DKIM required: what do we think?

DKIM is important because it's a digital authentication tool that protects your brand identity. In other words, DKIM helps to prevent phishing attacks and email spoofing in which someone tries to pretend they are sending you an email from a trusted institution.

While DKIM is not required, it is paramount for all email senders. If you are an email sender, we recommend that you implement DKIM on your email server to protect against phishing and spoofing attacks.

DKIM not aligned: what does it mean?

DKIM does not verify the message sender’s email domain. If someone has spoofed their email domain with DKIM, they will be able to send messages as though they are coming from your company, when in reality they are not.

When DKIM alignment fails—or when the d= value in the Header From does not match the d= value in the DKIM signature—it can negatively impact deliverability, as mailbox providers may send the message to the spam folder or block it entirely.

DKIM full form: let's elaborate

DomainKeys Identified Mail (DKIM) is an email authentication standard that works by assigning a digital signature to messages sent from an email account.

In short, the DKIM system generates the hash based on the email body with a subject and optionally multiple more parameters via a private RSA key. This hash is attached to the email as header param and is validated using the public key present in your DNS record by the recipient email server.

If the DKIM hash is valid, it allows the receiver to verify that the message sender and not someone pretending to be them, for example, through a phishing attack. This is why DKIM is important in email marketing campaigns as it helps protect your brand identity or company’s reputation from spam or phishing attacks or other illegitimate reasons for sending email messages claiming to be from your business.

DKIM verification failed: how to fix it?

Signing an email with DKIM is a process that uses an algorithm to encrypt digital information that is embedded in the message. The encryption allows recipients to verify the identity of the sender.

For this validation to work, the server must sign and send a DKIM-based header for each email sent (often just before or below the SPF header). If a mail server does not have a valid DKIM signature on its DNS zone files, it will fail verification by default.

DKIM verification can also fail if there is a key mismatch between the private key used for signing the sent email and the public entry present in the DNS TXT record.

We at Mutant Mail has also found, that one of the common cause of DKIM verification failure is because the entry in DNS contains the TXT value in multiple lines instead of one.

DKIM not signed: what does it mean and how to fix it?

DKIM not signed simply means, DKIM was not used to sign/generate a hash and the DKIM header is missing in your sent email.

There are two ways to handle this :

1.Setup the DKIM system yourself, with sending software configured to use DKIM private signing key and public entry in your domain's DNS.

2.Using a third-party system to send emails instead, enforces DKIM protocol by default.

If your recipient doesn't have a valid DKIM key yet, you should still use SPF or Sender Policy Framework (SPF) records.

Is DKIM important in today's email world?

DKIM is an email authentication standard that works by assigning a digital signature to messages sent from an email account. A digital signature is a unique alphanumeric string (hash) that verifies the identity of the sender for every message.

The DKIM algorithm is used to verify that each email sent from an email account has been done so by the person/server who owns the account/domain, and not someone pretending to be them.

This means you can use it as a way of protecting your brand identity or company’s reputation from phishing attacks and other unauthorized accesses.