Demystifying DKIM Records: How They Safeguard Your Email Communications

Introduction

Email has become a crucial way of communication in today’s digital world. However, it’s also a target for scammers and impersonators. Thus it is essential to have methods to verify that the messages we receive are genuine and have not been tampered with. That’s where DKIM (DomainKeys Identified Mail) records come into play. In this article, we will understand how DKIM records assist in safeguarding emails against tampering.

What is DKIM?

DKIM is an email security standard designed to make sure that an email that claims to have come from a specific domain was indeed authorized by the owner of that domain.

DKIM records are special DNS (TXT or CNAME) records that provide a way to authenticate and verify the integrity of emails. By adding a DKIM record to the domain’s DNS, domain owners can demonstrate that the emails sent from their domain are legitimate and haven’t been modified during transmission.

Who needs to setup DKIM records?

DKIM record has to be set up by domain owners who want to authenticate their outgoing emails. If you own a domain and use it to send emails, setting up DKIM records is beneficial. Although not mandatory, setting up DKIM records can:

• increase email deliverability
• lower the likelihood of your emails being labelled as spam
• improve your overall email reputation

irrespective of whether you rely on email for marketing campaigns, transactional emails, or any other type of business communication.

Technical details

DKIM has its roots in cryptography. It is an email authentication method that uses public-key cryptography. ¹ It involves the generation of a DKIM key pair (private and public key). The private key is kept (secret) by the sender (on their own mail server or with ESP) and the public key is published as a DKIM record in the DNS.

Emails are verified using DKIM signature in two steps (roughly):

1. When an email is sent, the sender (sender’s email server) signs it with the private key, creating a digital signature.
2. The recipient’s email server retrieves the public key from the DKIM record and verifies the signature, ensuring the email’s integrity and authenticity.

The following sequence diagram explains the DKIM authentication process in more detail.

Algorithms used

The complete DKIM signing involves multiple steps that utilize different cryptographic algorithms for different purposes. From a cryptographic view point, the DKIM process usually involves 3 steps:

1. Hashing: the email content (or body) is hashed using a hashing algorithm to generate a fixed-size hash value. As of this writing, the DKIM standard allows SHA-1 and SHA-256 algorithms to be be used for this, though SHA-256 is preferred.

2. Signing: the hash value is encrypted using the sender’s private key. This creates a digital signature that is unique to the email. As of this writing, the RSA (Rivest-Shamir-Adleman) algorithm is used for key pair genereation and signing.

3. Verification: the recipient’s email server receives an email along with its DKIM signature.

   1. The server retrieves the public key from the sender’s DKIM record in the DNS and uses it to decrypt the signature. Successful decryption verifies the authenticity of the sender.

   2. Upon successful decryption, the original hash value of the email’s content is revealed. Next, the server independently generates a new hash value for the received email content using the same hashing algorithm. Finally, it compares the newly generated hash value with the decrypted hash value from the signature. If both hash values match, the verification is successful, confirming the email’s (email content’s) authenticity and integrity.

   Together, these processes ensure that the email hasn’t been altered in transit and that it genuinely originated from the claimed sender.

But, if a sender is allowed to use any algorithm for hashing, how does the recipient’s email server know which algorithm was used? THe DKIM header contains this information. As of this writing, the two options available to specify the algorithm are rsa-sha1 and rsa-sha256, which are self explanatory.

Key length

The DKIM standard calls for using RSA keys of minimum 1024 bits and a maximum of 2048 bits for key pair genereation and signing purposes. ² Selecting appropriate key sizes is a trade-off between cost, performance, and risk.

In 2012, mathematician Zach Harris found a vulnerability with short length DKIM keys for google.com. In addition to Google, he found that eBay, Yahoo, Twitter and Amazon were all using 512-bit keys. PayPal, LinkedIn, US Bank and HSBC were using 768-bit keys. Soon after his disclosure, Google and other companies started using higher length keys.³

Additional computation

DKIM involves cryptographic checksum generation for each message sent through a mail server. This results in computational overhead otherwise not required for e-mail delivery.

Non-repudiability

Non-repudiability refers to the concept that one cannot deny one’s actions. DKIM provides a way to make sure that the sender of an email cannot later deny sending it. Once an email is sent with DKIM, the sender cannot easily say that it wasn’t them or that it’s a fake message. This adds an extra layer of trust and prevents the sender from disowning the email after it has been sent. A DKIM mail server generates a cryptographically strong evidence attesting to the email’s authenticity, which is included in the email headers. Anyone who acquires a copy of the email can then test the cryptographic evidence.

This nature of DKIM signing has been valuable to news organizations such as Wikileaks, which used DKIM headers to confirm that leaked emails were genuine and were not tampered with.

Multiple DKIM records for a domain

It is completely logical, allowed and safe to have multiple DKIM records for one domain. This requires specifying unique DKIM selectors for the domain, where each selector points to a DKIM record.

Some scenarios which require multiple DKIM records:

• You use one ESPs (Email Service Providers) or one e-mail server. You decide to use different key pairs for signing your emails. This practice can help lower the risk in case one of your keys is compromised.
• You use multiple ESPs (Email Service Providers) to send emails on behalf of a single domain. Say, you run an e-commerce website. You decide to use Convertkit to send promotional emails (discounts, offers) and use Postmark to send transactional emails (order confirmation, delivery success). This way you need to configure two DKIM records so that signing servers of each service can locate the their respective key pairs correctly. There can be an exception, in case both these services (Convertkit and Postmark) allow you to manually enter the private key. As of this writing, neither of these services allow DKIM private key to be entered manually.

Frequently Asked Questions (FAQs)

Does DKIM improve email deliverability?

Based on research done by Postmark, DKIM improves email delivery.

Can DKIM prevent email spoofing?

No, DKIM alone can’t prevent email spoofing. Consider an example. Say, you own a domain awesometech.com and you use info@awesometech.com to send emails. Let’s say a scammer tries to impersonate your business by sending fake emails from a similar-looking domain, like info@awes0metech.com (with a zero instead of an “o”). Let’s also assume that the attacker has set DKIM records for the similar-looking domain. Now when the attacker sends an email to abc@gmail.com, Gmail checks and finds that DKIM signing is configured correctly for the similar-looking domain. So, it may not label it as spam.

In this case, it’s crucial for email recipients to be cautious and exercise good judgment when receiving emails. They should carefully examine email content, double-check email addresses, and be wary of any requests for sensitive information or suspicious links.

How is DKIM different from SPF?

The difference between DKIM vs. SPF lies in their function and purpose. DKIM uses a cryptographic key pair (public and private) to link an email to its domain and ensure a message wasn’t altered in transit.

While, the SPF (Sender Policy Framework) record allows you to define which sources (domains) are authorized to send emails on behalf of your domain.

References

• https://datatracker.ietf.org/wg/dkim/about/
• https://dkim.org/
• https://sendgrid.com/blog/2048-bit-dkim-keys/
• https://support.google.com/a/answer/11613097?hl=en