Learn how using DKIM (DomainKeys Identified Mail) can prevent email spoofing.
DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.
Once the receiver determines that an email is signed with a valid DKIM signature it can be confirmed that the email's content has not been modified. In mist cases, DKIM signatures are not visible to end-users, the validation is done on a server level. If DKIM is used together with DMARC, or SPF you can protect your domain against malicious emails sent from domains impersonating your brand.
Simply put, A DKIM record is a line of text within the DNS record that contains the public key which receiving mail servers can used to authenticate the DKIM signature.
Since spoofing emails from trusted domains is becoming a more rampant cyber threat, it is important to first check your DKIM record to begin you your DKIM implementation. It is recommended that users add a DKIM record to your DNS whenever possible to authenticate email from your domain.
Do you know who is sending email on behalf of your domain and brand? Get started with DKIM and DMARC to ensure your brand is not being exploited by cybercriminals.
A DKIM record check is a tool that tests the domain name and selector for a valid published DKIM record. Mimecast offers a free DKIM record checker that can validate DKIM records. Mimecast also offers a free SPF validator and free DMARC record checks.
Begin your DKIM and DMARC journey by first checking your DKIM record.
DomainKeys Identified Mail (DKIM) is a technique for authenticating email that allows the receiver to verify that the message was sent and authorized by the owner of a domain. The protocol uses a cryptographic signature – an encrypted header added to the message – to verify that the email is authentic and that it has not been changed in transit. The receiver uses a public key found in the DKIM record in the domain's DNS to decrypt the DKIM signature and authenticate the message.
While the protocol is helpful, DKIM alone is not a guaranteed way of preventing spoofing attacks. The DKIM information is not visible for a non-technical user and does nothing to address the possibility that the sender is spoofing the "from" address in the email – the only information that most users see. The private keys used to sign messages with DKIM can be stolen by hackers. And managing public keys can be a time-consuming burden for email security teams.
DMARC, or Domain-based Message Authentication Reporting & Compliance, builds on the DKIM protocol as well as the Sender Policy Framework (SPF) protocol to provide a stronger layer of defense against email spoofing. DMARC ensures that the visible "from" address matches the underlying IP address to prevent spoofing. In order to pass the DMARC checks, a message needs to pass DKIM authentication and/or SPF authentication. The DMARC Analyzer app further provides instructions for how the emails that have failed the DMARC checks should be handled.
The DMARC protocol can significantly minimize the damage attackers can cause through spoofing and or phishing attacks. However, it can be time-consuming and difficult to deploy DMARC without superior tools and qualified help. That's why more organizations turn to Mimecast when seeking to implement DMARC with minimal effort and delay.
Mimecast DMARC Analyzer provides the tools and resources you need to implement DMARC quickly and easily while minimizing cost, risk and effort. DMARC Analyzer serves as an expert guide, providing analyzing software that enables the shortest time possible for publishing your reject policy. This Mimecast solution offers full insight into your email channels to make sure legitimate email does not get blocked, and delivers alerts, reports and charts that simplify the task of monitoring performance and enforcing authentication.
With Mimecast DMARC Analyzer, you can:
DMARC Analyzer simplifies DMARC deployment with a step-by-step approach and self-service tools that enable faster movement to DMARC enforcement. DMARC Analyzer offers:
DMARC Analyzer is part of a comprehensive suite of solutions for managing and protecting business email.
The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string of characters called Hash Value. This hash value is stored in the listed domain. After receiving the email, the receiver can verify the DKIM signature using the public key registered in the DNS. It uses that key to decrypt the Hash Value in the header and recalculate the hash value from the email it received. If these two DKIM signatures are matching, the email receiver knows that the email has not been altered.
SPF is just like DKIM, an email authentication technique that can be used by utilizing the DNS (Domain Name Service). DKIM provides the ability to specify which email servers are permitted to send email on behalf of an organizations domain. Authenticating legitimate senders with SPF gives the receiver (receiving systems) insights on how trustworthy the origin of an email is.
The difference between SPF and DKIM is that the email authentication technique DKIM enables the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to the message and secured with encryption.
DKIM is email-authentication technique similar to SPF. DKIM allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to a message and secured with encryption.
Authenticating legitimate sending sources with DKIM gives the receiver (receiving systems) information on how trustworthy the origin of an email is, and it can significantly improve the overall deliverability of an email channel.
In practice, DKIM on its own is not enough to fully protect an email channel. The email validation system DMARC is often mandatory and required for compliance as it creates a link between SPF and DKIM by validating whether a sending source has been authenticated with either SPF or DKIM.
Furthermore, DMARC allows organizations to instruct email services like Gmail, Hotmail and others to reject all emails that are not aligned with SPF and or DKIM.
Before setting a DKIM signature a sender needs to decide which elements of the email should be included in the DKIM signature. Typically, this is the body of the message and some default headers. This behaviour cannot be changed. Once decided these elements in the DKIM signature must remain unchanged or the DKIM validation will fail.
The DKIM signature will be generated in a unique textual string, the ‘hash value’. Before sending the email, the hash value is encrypted with a private key, the DKIM signature. Only the sender has access to this private key. When the email is encrypted the email is sent with this DKIM signature.
Having the possibility to include multiple DKIM records on one single domain is required when an organization uses several different servers to send email on behalf of their domain name or to utilize “DKIM key rotation” to de-risk the possibility of having the DKIM keys being comprised.