DKIM Explained

    Learn how using DKIM (DomainKeys Identified Mail) can prevent email spoofing.

    Stay up to date on the latest DKIM trends

    Read our Blog

    What is DKIM?

    DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.

    Once the receiver determines that an email is signed with a valid DKIM signature it can be confirmed that the email's content has not been modified. In mist cases, DKIM signatures are not visible to end-users, the validation is done on a server level. If DKIM is used together with DMARC, or SPF you can protect your domain against malicious emails sent from domains impersonating your brand.

    What is DKIM?

    What is a DKIM record?

    Simply put, A DKIM record is a line of text within the DNS record that contains the public key which receiving mail servers can used to authenticate the DKIM signature.

    Since spoofing emails from trusted domains is becoming a more rampant cyber threat, it is important to first check your DKIM record to begin you your DKIM implementation. It is recommended that users add a DKIM record to your DNS whenever possible to authenticate email from your domain.

    Do you know who is sending email on behalf of your domain and brand? Get started with DKIM and DMARC to ensure your brand is not being exploited by cybercriminals.

    What is a DKIM record?

    What is a DKIM record check?

    A DKIM record check is a tool that tests the domain name and selector for a valid published DKIM record. Mimecast offers a free DKIM record checker that can validate DKIM records. Mimecast also offers a free SPF validator and free DMARC record checks.

    Begin your DKIM and DMARC journey by first checking your DKIM record.

    What is a DKIM record check?

    Free DKIM record check

    Check my Domain

    Using DKIM to prevent email spoofing

    DomainKeys Identified Mail (DKIM) is a technique for authenticating email that allows the receiver to verify that the message was sent and authorized by the owner of a domain. The protocol uses a cryptographic signature – an encrypted header added to the message – to verify that the email is authentic and that it has not been changed in transit. The receiver uses a public key found in the DKIM record in the domain's DNS to decrypt the DKIM signature and authenticate the message.

    While the protocol is helpful, DKIM alone is not a guaranteed way of preventing spoofing attacks. The DKIM information is not visible for a non-technical user and does nothing to address the possibility that the sender is spoofing the "from" address in the email – the only information that most users see. The private keys used to sign messages with DKIM can be stolen by hackers. And managing public keys can be a time-consuming burden for email security teams.

    DMARC, or Domain-based Message Authentication Reporting & Compliance, builds on the DKIM protocol as well as the Sender Policy Framework (SPF) protocol to provide a stronger layer of defense against email spoofing. DMARC ensures that the visible "from" address matches the underlying IP address to prevent spoofing. In order to pass the DMARC checks, a message needs to pass DKIM authentication and/or SPF authentication. The DMARC Analyzer app further provides instructions for how the emails that have failed the DMARC checks should be handled.

    The DMARC protocol can significantly minimize the damage attackers can cause through spoofing and or phishing attacks. However, it can be time-consuming and difficult to deploy DMARC without superior tools and qualified help. That's why more organizations turn to Mimecast when seeking to implement DMARC with minimal effort and delay.

    Using DKIM to prevent email spoofing

    Mimecast DMARC Analyzer: A faster path to authentication

    Mimecast DMARC Analyzer provides the tools and resources you need to implement DMARC quickly and easily while minimizing cost, risk and effort. DMARC Analyzer serves as an expert guide, providing analyzing software that enables the shortest time possible for publishing your reject policy. This Mimecast solution offers full insight into your email channels to make sure legitimate email does not get blocked, and delivers alerts, reports and charts that simplify the task of monitoring performance and enforcing authentication.

    With Mimecast DMARC Analyzer, you can:

    • Detect and block attackers by performing a DMARC check to determine whether email is attempting to spoof customers, employees and other parties.
    • Gain 360° visibility and governance across all email channels.
    • Implement DMARC policy on the gateway with self-service email intelligence tools.
    • Host and manage SPF records
    • Avoid the 10 SPF lookup limitation
    • Save time and money with a 100% SaaS-based solution.
    • Easy-to-use alerts, reports and charts to help achieve enforcement and monitor performance.
    Mimecast DMARC Analyzer: A faster path to authentication

    DMARC Analyzer: Key features

    DMARC Analyzer simplifies DMARC deployment with a step-by-step approach and self-service tools that enable faster movement to DMARC enforcement. DMARC Analyzer offers:

    • Unlimited users, domains and domain groups, enabling administrators to ensure full coverage.
    • Setup wizard for DMARC records.
    • Forensic reports that simplify the task of identifying and tracking down the sources of malicious email.
    • Daily and weekly summary reports that allow administrators to track progress over time.
    • Tools to monitor DNS changes and receive alerts when a record is altered.
    • User-friendly aggregate reports and charts that enable easier analysis and faster time to DMARC policy enforcement.
    • Enhanced security based on two-factor authentication.
    • Validators for DMARC, SPF and DKIM records.
    • Managed services (optional) that enable organizations to minimize risk while moving to DMARC enforcement in the shortest time possible.
    DMARC Analyzer: Key features

    Ready to start your DMARC Journey?

    Start Free Trial

    More solutions from Mimecast beyond DKIM

    DMARC Analyzer is part of a comprehensive suite of solutions for managing and protecting business email.

    • Mimecast Email Security with Targeted Threat Protection. Combining innovative applications and policies with multiple detection engines and intelligence feeds, Mimecast blocks threats such as spear-phishing, zero-day attacks, malware, spam, malicious URLs and attachments, and malware-less, social engineering-based attacks that attempt to spoof an email address and impersonate trusted senders.
    • Mimecast Information Protection provides automated Content Control and Data Loss Prevention (DLP) as well as tools that enable employees to send messages and large files securely and easily.
    • Mimecast Awareness Training offers highly engaging and successful education modules that help employees avoid the behavior and human error that is typically involved in more than 90% of all security breaches.
    • Mimecast Web Security adds monitoring and security at the DNS layer to identify and block malicious web activity, prevent access to business-inappropriate websites and monitor uncontrolled usage of cloud apps that represent shadow IT risks.
    • Mimecast Brand Exploit Protect helps safeguard brands from cyber criminals by running quadrillions of scans to identify domains and sites that may be attempting to impersonate a legitimate brand.
    More solutions from Mimecast beyond DKIM

    DKIM FAQs

    How to create/set up DKIM?

    The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string of characters called Hash Value. This hash value is stored in the listed domain. After receiving the email, the receiver can verify the DKIM signature using the public key registered in the DNS. It uses that key to decrypt the Hash Value in the header and recalculate the hash value from the email it received. If these two DKIM signatures are matching, the email receiver knows that the email has not been altered.

    What is the Difference between DKIM and SPF

    SPF is just like DKIM, an email authentication technique that can be used by utilizing the DNS (Domain Name Service). DKIM provides the ability to specify which email servers are permitted to send email on behalf of an organizations domain. Authenticating legitimate senders with SPF gives the receiver (receiving systems) insights on how trustworthy the origin of an email is.

    The difference between SPF and DKIM is that the email authentication technique DKIM enables the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to the message and secured with encryption.

    How does DKIM improve deliverability?

    DKIM is email-authentication technique similar to SPF. DKIM allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by adding a digital DKIM signature on emails. A DKIM signature is a header that is added to a message and secured with encryption.

    Authenticating legitimate sending sources with DKIM gives the receiver (receiving systems) information on how trustworthy the origin of an email is, and it can significantly improve the overall deliverability of an email channel.

    In practice, DKIM on its own is not enough to fully protect an email channel. The email validation system DMARC is often mandatory and required for compliance as it creates a link between SPF and DKIM by validating whether a sending source has been authenticated with either SPF or DKIM.

    Furthermore, DMARC allows organizations to instruct email services like Gmail, Hotmail and others to reject all emails that are not aligned with SPF and or DKIM.

    How do I implement DKIM to my domain?

    Before setting a DKIM signature a sender needs to decide which elements of the email should be included in the DKIM signature. Typically, this is the body of the message and some default headers. This behaviour cannot be changed. Once decided these elements in the DKIM signature must remain unchanged or the DKIM validation will fail.

    The DKIM signature will be generated in a unique textual string, the ‘hash value’. Before sending the email, the hash value is encrypted with a private key, the DKIM signature. Only the sender has access to this private key. When the email is encrypted the email is sent with this DKIM signature.

    Can I have multiple DKIM records?

    Having the possibility to include multiple DKIM records on one single domain is required when an organization uses several different servers to send email on behalf of their domain name or to utilize “DKIM key rotation” to de-risk the possibility of having the DKIM keys being comprised.

    DKIM FAQs

    Expert DKIM Insights

    Additional DKIM and DMARC resources you may be interested in: