What is DKIM?

December 22, 2016
Mark Guntrip

Implementing email authentication technology is one of the best ways to protect your employees and customers from targeted email attacks. Earlier this month, we published a post breaking down what SPF (Sender Policy Framework) is and why it matters. This week, we turn to another email authentication protocol, DKIM (DomainKeys Identified Mail).

What Is DKIM?

DKIM (DomainKeys Identified Mail) is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that can be verified by mailbox providers. This verification is made possible through cryptographic authentication.

How Does DKIM Work?

There are three main steps to the DKIM signing process. First, the sender identifies what fields they want to include in their DKIM signature. These fields, can include things such as the “from” address, the body and the subject as well as many others. These fields must remain unchanged in transit or DKIM authentication will fail.

Second, the sender’s email platform will create a hash of the text fields included in the DKIM signature. The following text fields, for example,

From: Jane Doe <jane.doe@proofpoint.com>
Subject: Update

will map to this hash string:

3303baf8986f910720abcfa607d81f53

Once the hashstring is generated, it is encrypted with a private key, which only the sender has access to.

Finally, after the email is sent it’s up to the email gateway or consumer mailbox provider to validate the DKIM signature. To do it, they need to find the public key that will perfectly match the private key, thereby decrypting the DKIM signature back to its original hash string.

Then, the receiver generates its own hash of the fields included in the DKIM signature and compares it with the hash string they just decrypted. If they match, we know both that the fields in the DKIM signature were not changed in transit and the signer of the email truly owns the email.

Why does DKIM matter?

DKIM helps inform receivers of email that may contain malicious or spam content. It also validates that the data included in the DKIM signature was not changed in transit. But because DKIM is more difficult to implement fewer senders have adopted it. In addition, DKIM does nothing to prevent cybercriminals from spoofing the visible parts of an email’s from field, including the email address, display name, and domain. So, like SPF, DKIM on its own is not sufficient to protect an organization from sophisticated phishing attacks.

By combining the best of both SPF and DKIM, the DMARC (Domain-based Message Authentication Reporting and Conformance) authentication standard is the only technology which can validate that the messages using a company’s header from domain is legitimate.

In the final post in this series, we’ll outline what DMARC is and how it work. If you missed our first post, “What Is SPF,” check it out here.