DomainKeys Identified Mail (DKIM) allows a person or organisation to claim responsibility for an email message by associating a domain name with the message.
The purpose of DKIM is to authenticate that the content of any DKIM-signed email message is not modified during the transfer between sender’s or ISP (Internet Service Provider) and receiver’s mail servers.
DKIM signatures are produced using a private key by the sender’s mail server. They’re then verified by the receiver’s mail server by fetching public key via DNS query (illustrated below).
Why use DKIM for your domain(s)?
There are two major reasons to use DKIM for your domain:
- make it harder for spammers to spoof your domain and using it for sending malicious spam or phishing campaigns
- build a reputation for your domain over time with major ISPs and ESPs (Email Service providers)
It’s important to understand what DKIM does and what it doesn’t.
Using DKIM will make sure your message hasn’t been changed during the transfer, but it doesn’t encrypt or change the contents of your message in any way.
Many ESPs use TLS (Transport Layer Security) encryption to encrypt messages as they move between sender and recipients, but it’s still possible to send unencrypted messages if an email server refuses a TLS handshake. Once a message has been delivered, the DKIM signature will remain in the email (SMTP) headers.
The approach taken by DKIM differs from previous approaches to message signing (e.g., Secure/Multipurpose Internet Mail Extensions (S/MIME) [RFC5751], OpenPGP [RFC4880]) in that:
- the message signature is written as a message header field so that neither human recipients nor existing MUA (Mail User Agent) software is confused by signature-related content appearing in the message body
- there is no dependency on public- and private-key pairs being issued by well-known, trusted certificate authorities
- there is no dependency on the deployment of any new internet protocols or services for public-key distribution or revocation
- signature verification failure does not force rejection of the message
- no attempt is made to include encryption as part of the mechanism
- message archiving is not a design goal
- is compatible with the existing email infrastructure and transparent to the fullest extent possible
- requires minimal new infrastructure
- can be implemented independently of clients in order to reduce deployment time
- can be deployed incrementally; and
- allows delegation of signing to third parties
How DKIM works
Here’s an illustration explaining the process:
DKIM uses a two-phase process, as follows:
- takes place on sender’s mail server
- contains digital signatures of headers and body of the message
- requires the private key for the authorised domain for signing
- and adds the DKIM signature as a special email header.
- takes place on receiver’s mail server
- fetches public key for sender’s domain from DNS record
- extracts the DKIM signature from the email headers
- validates the signature using the domain’s public DomainKeys
It’s important to note that failing DKIM signature validation doesn’t mean that the email message will be blocked.
Examining the DKIM code
Let’s have a deeper look at the process. If you’re only interested in the basic setup in My20i, you can skip this section!
Each email message is signed with your private key (stored securely on our mail servers).
We create hashes (encoded message digests) of both message headers and body, and then use your private key to sign the hashes. The signature itself contains everything a recipient server needs to validate the signature.
A DKIM signature header might look like:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=20iisawesome.co.uk; s=s1; h=Message-ID:Subject:To:From:Date:Content-Type: MIME-Version:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3zHAZOM3ZC2Xnw6cIsUoqMayPLB+3ctDAb0TU/ZVneE=; email@example.com; t=1572341960; x=1572428360; b=WkWIVcElG0eCkeAXG+eT6Tq+eAZgOvg9PL422L82/ETTsJd hnywMKnzKiVckU4d2OfKjEFhK4ctoPhubXv72iDSwJPatCRSutCFjgO4q0G/fO1YDCuOnnWlcZZxs gcVBXWIOQfVlvRFTDDyy+HMk2YdgG6SX+2O/GOGoZTdBaWZ/cs3GnNLUXu1hDmRukl0YEWbX6uvad G1kxBkLUQodeaqhxo9/Bt+GI1/LNqoPgaPM2R4K53uztI/GM9TZlfGjB31tBuAvsNEjuJyQgwh68p ZIQrU3eByl0ocdoiOIduxWn9aTTIbtNs19EwBsN2KfV3XbDW205p5Pun2FBzuVhA==;
To break this down:
= Header name.
= Version of DKIM protocol used.
= Hashing (message digest) algorithm used to generate the hashes.
= Query type used to fetch the public key.
= Canonicalisation of algorithm for headers and body.
This last element is there because some mail systems modify email messages in transit, potentially invalidating a signature.
For most Signers, mild modification of an email is immaterial to validation of the DKIM domain name’s use. The “simple” header canonicalization algorithm does not change header fields in any way.
There are two canonicalized algorithms.
simple doesn’t allow any changes, and
relaxed allows common changes to whitespace and header line wrapping. Canonicalization in the header and body can be managed individually, and uses a header/body format.
= The email domain which signs the message. It’s used to build the domain reputation regardless of the Email Service Provider you use.
= The Key Selector. It’s used as a unique identifier for the public key. As the domain could have more than one DKIM key, the selector is used to fetch the necessary public key for validation to happen.
= A colon-separated list of header field names that identify the header fields presented to the signing algorithm.
= The hash of the canonicalized body part of the message before the message headers are signed.
= Identity of the signer. This could be empty (any sender) or a particular email address (concrete sender).
This takes part in strict DKIM validation. If Strict DKIM is used then any DKIM-Signature header fields using the “i=” tag must have the same domain value on the right-hand side of the “@” in the “i=” tag and the value of the “d=” tag.
That is, the “i=” domain must not be a subdomain of “d=”. Use of Strict DKIM is recommended unless subdomaining is required.
= The Signature Timestamp – the time that this signature was created. The format is the number of seconds since 00:00:00 on January 1, 1970 in the UTC time zone.
= The Signature Expiration. Signatures may be considered invalid if the verification time at the Verifier is past the expiration date. Again, the format is the number of seconds since 00:00:00 on January 1, 1970 in the UTC time zone.
b=WkWIVcElG0eCkeAXG+eT6Tq+eAZgOvg9PL422L82/ETTsJd hnywMKnzKiVckU4d2OfKjEFhK4ctoPhubXv72iDSwJPatCRSutCFjgO4q0G/fO1YDCuOnnWlcZZxs gcVBXWIOQfVlvRFTDDyy+HMk2YdgG6SX+2O/GOGoZTdBaWZ/cs3GnNLUXu1hDmRukl0YEWbX6uvad G1kxBkLUQodeaqhxo9/Bt+GI1/LNqoPgaPM2R4K53uztI/GM9TZlfGjB31tBuAvsNEjuJyQgwh68p ZIQrU3eByl0ocdoiOIduxWn9aTTIbtNs19EwBsN2KfV3XbDW205p5Pun2FBzuVhA==;
= The signature data of all the preceding information from the DKIM-Signature field.
The DNS record which contains the public key looks like:
s1._domainkey.20iisawesome.co.uk IN TXT "v=DKIM1;k=rsa;h=sha256;g=*;n=here-be-dragons;s=email;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAos7io0sGmoEEfpLGwwUGYj5YQpV5bsGsqi2XZx8y56W+NpHQDLS5nnyUftFBf3NaOMNzmKqycaLAviFSqtp7uztXuTj8lEr0KxwP6oDNIVojka+xzpMuXzUd4fXszGSJwsJbAd7CPDW1o4DVZlz3XRze" "1BJOpbRqF44+fv14XTHDUxrjl8jhjSKa02nXSdthWtRWHXzV8qwriFeaovb682O+2Ye6jGXRfsS3IPv0ybTmqgw/uDEBBM2eJyfzkej8Xw3zOUqwvewVfQAcuLlmOML0+Rf6bfoirOoDYvPJUJYDVYVqWgOnCN7+m2lrWvIYOmq0uoLJrUJ3IQeqfnjMWwIDAQAB"
How to set up DKIM with My20i
It’s fairly simple to implement DKIM with My20i:
- Navigate to ‘DKIM Signatures’ in the control panel, as shown below
- Fill in the value of Selector for your new DKIM Signature; and
- Select ‘Add Signature’ button
You can then start building your domain reputation right away.
On the other hand, My20i provides fine-grained control over the DKIM signing process if it’s required by you.
To do this, you need to activate the advanced options by clicking on ‘Advanced Options’ link, and you’ll see this:
Here you can set up:
- Granularity / Identity = Granularity of the key.
This value MUST match the Local-part of the “i=” tag of the DKIM-Signature header field (or its default value of the empty string if “i=” is not specified). Optional, default is “*”.
Notes that might be of interest to a person. Optional, the default is empty.
- Service Type
A colon-separated list of service types to which this record applies. Verifiers for a given service type must ignore this record if the appropriate type is not listed. Currently defined service types are as follows:
* – matches all service types
email – electronic mail (not necessarily limited to SMTP).
Again, this is optional, default is “*”.
Message canonicalization. This tag informs the verifier of the type of canonicalization used to prepare the message for signing. This is also optional, but the default is “relaxed”. You can find out more info on this dkim.org.
- Expiry Time
Signature Expiration. Signatures may be considered invalid if the verification time at the verifier is past the expiration date. The recommended default is 86400 seconds (1 day).
Flags, represented as a colon-separated list of names. Optional, the default is empty.
The defined flags are as follows:
y – This domain is testing DKIM. Verifiers must not treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers may wish to track testing mode results to assist the signer.
s – Any DKIM-Signature header fields using the “i=” tag must have the same domain value on the right-hand side of the “@” in the “i=” tag and the value of the “d=” tag. That is, the “i=” domain must not be a subdomain of “d=”. Use of this flag is recommended unless subdomaining is required.
- Strict DKIM
Flag for signing policy. Use with caution: if you choose strict signing policy and there is any error when signing – the message will be deferred! Optional, default is not checked.
As you could have more than one DKIM key pair per domain – you have to choose which one will be used for signing. This could be done with ‘Set Default’ option:
So, to be able to sign your outgoing email you have to set a DKIM signature both as Default and Enabled.
Frequently asked questions
Why should I use DKIM signatures?
It helps you to build your domain reputation and prevent spammers using your domain for sending malicious spam.
When will my DKIM signature become active?
DKIM signing will start right after you set your signature as Default and Enabled. There is no waiting time for signature to become active.
How could I disable DKIM signing?
Just set your signature as ‘Disabled’. Your email messages will no longer be signed.
Could I use more than one signature for signing?
No, you have to use only one signature. The one which is set as ‘Default’ is used for signing.
What is the key length for DKIm signatures?
We’re using 2048 bit RSA keys.
Could I use DKIM signatures with different DNS provider?
Yes, you could. Just use DNS controls to obtain the DNS record value, as shown in the image above.
Could I use my own key/pair for DKIM signing?
We wouldn’t advise to do so, as the private key should be stored without the secret passphrase. But if you have valid reasons to do so – please contact our Support team for further instructions how to use your own key pair.
How often DKIM keys should be rotated?
DKIM keys should be rotated at least twice per year. For better security and to reduce the risk of being compromised you could use following procedure for rotating your keys:
- Pick a new selector and generate new key pair
- Set the new key as ‘Enabled’ and ‘Default’ in DKIM settings
- Please allow up to 24 hours for all DNS servers worldwide to know about your new key
- Delete your old key pair
Need to know more? Feel free to contact our Support team or add any questions/comments below.
Top photo by Chunlea Ju on Unsplash.