If you are looking for protection mechanisms for email on the Internet, you will quickly come across DKIM. This identification protocol is designed to counteract unwanted emails such as spam or phishing.

But what is this protocol all about? How does it work and how can I use it myself to make my emails more secure?

How does DKIM work?

Each email consists of different parts, the headers containing various metadata of the email and the body containing the actual content. DKIM, which stands for DomainKeys Identified Mail, adds the so-called “DomainKey Signature header” to these headers. This header contains the digital signature formed over certain fields in the email. We took a look at how exactly digital signatures work in a separate article. The sender can decide here which headers he wants to sign. In any case, the “From” header, i.e. the header containing the sender’s information, must be signed. Likewise, the content of the message is always signed.

The recipient retrieves the DNS records of the specified sender when receiving a DKIM-signed email. The sender has stored his public key here, which can be used to verify the signature. If the signature is valid, it proves that the email has not been modified and all signed headers have not been changed.

How do I sign my emails with DKIM?

The good news is that many email providers offer DKIM by default. These include Apple, GMX & Web.de, Google, Posteo, Tutanota and Yahoo. The bad news is that if an email provider does not offer DKIM, there is virtually no way to use it. If own email servers are operated, the effort of setup mainly depends on the software used for email management. Either the software supports the generation of DKIM keys out of the box or you have to use tools like EasyDMARC – DKIM Record Generator. Here you enter your domain, a self-selected name as a so-called selector and the desired key length. The tool then shows you the DNS record that must be stored.

For example, we had a DNS record generated for the domain “aware7.com” and the selector “blog”. As the tool shows us, the entry would have to be stored as a TXT record for “blog._domainkey.aware7.com”. To check if the record is correct, we can use the tool from dmaranalyzer, the DKIM Record Check.

Furthermore, a private key is issued. We definitely need to save this one! With it, we are able to generate DKIM signatures. The private key must be stored in our SMTP server or Mail Transfer Agent.

Key generation without third party

If you don’t want to use closed-source third-party tools, you can use OpenSSL, which also lets us generate keys. To do this, we use the command”openssl genrsa -out dkim_private.pem 2048” to generate a 2048-bit RSA key and store it in the file “dkim_private.pem”. Now to derive the public key we use the command”openssl rsa -in dkim_private.pem -pubout -outform of 2>/dev/null | openssl base64 -A“. We get an entry with a “p=” as the first string. In front of this string we put “v=DKIM1; ” and can now store it as a TXT record in the DNS.

Conclusion

DKIM is a very useful protocol and makes it possible to detect a change in email sender addresses. At the same time, this does not mean that DKIM will make phishing emails a thing of the past. This is because senders of phishing emails can use DKIM signatures for the emails they send, only this makes it more difficult to disguise the sender’s address. However, it is possible, for example, to register a very similar-sounding domain name, generate DKIM records for it, and use it legitimately. Nevertheless, it is another building block for better security in email traffic and should be supported, especially since the effort required to implement it is low.