Overview of DKIM
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain. DKIM uses a digital signature, which is added to the email's header and verified by the recipient's mail server using the sender's public key.
Features and Benefits of DKIM
Email Authentication: DKIM helps verify that the email was sent by an authorized mail server, reducing the risk of email spoofing.
Integrity Check: It ensures that the email content has not been altered during transit.
Improved Deliverability: Emails signed with DKIM are less likely to be marked as spam, improving deliverability rates.
Enhanced Security: By preventing email spoofing, DKIM helps protect against phishing attacks and email fraud.
Brand Protection: It helps maintain the sender's reputation by ensuring that only legitimate emails are sent from their domain.
How DKIM Works
DKIM uses asynchronous encryption to secure emails. This means it uses a pair of keys:
A private key to create a unique signature for each outbound email, and
A public key to which is later used to verify that signature.
Creating a DKIM Signature via Private Key:
A private key resides on the mail server, and is used by the server to generate a special code (the DKIM signature) by combining each outbound email's content with the private key. The sender's email server generates a unique DKIM signature for each email.
Adding the DKIM Signature:
The generated DKIM signature is added to the email's header as a DKIM-Signature field.
Example header fields in a DKIM-signed email:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=webnames.ca; s=mail; bh=bM4geswjXk4vOyViSCxnTzo1KW2mpVshmtFpcIqOcK0=; h=Content-Language:Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; b=GwCP05tBA6Jv0Q0hsMQng/L95OsYbeLW2jREx5NYA18DY1nJy8OnV8q2ut2EFvXxkMSTextOSK WyePaViZOseux5PC/xvD/gza34Zfkj09A2ILlfpF8lE06+CLPIeYXPlUWzEzAUMyStNzDgGiDEhr4 oCccX27pNpwPr3K9MyLKrlwX1qUEDMyJgHwnTCdLyWqwEX2j0t47TPTDsk2nty+XnEUf88poQOrln dKrSwkPntZpki5Yho29LRvRKa9q6JWKMCxmCUVTY0ULCN6wegoWYQOseoSrrp7U+CPH+vxjNCojMv tTwNbd7g5wgsQp+Ule9GCQEM9fJ586KkIkBtA==
Sending the Email:
The email, now containing the DKIM signature, is sent to the recipient.
Verifying the DKIM Signature via Public Key:
The public key, published in the domain's DNS records, allows the email recipient's server to check this signature and confirm the email's authenticity and integrity. Upon receiving the email, the recipient's mail server retrieves the sender's public key from the sender's domain's DNS records.
Example TXT Record in a sender's DNS:
mail._domainkey.domain.ca. 21600 IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3k4A5sEyZVVCMAz7MMXS/IxX+epN0RPPVJpgSYVslzwKwQQCgaIeeemUcWUbWcxi7h6Y9rxpawpoNDd0GnSSjFj4rTtmlygTRveltRgfuEvef/P09Yoihh2XtvxTm0lcBAeLnQrZLrLc2iqRh1kBOACCnnP1c2lG4re9WJoCM2EseRTq0gYTG4CXhUsV7vJCRv0G64Dr" "lnQtgGax1KnZUocqtB4+VHExIjeGgnBmOEU6ugytYdoANCAPPwoXKvhzMkFveCCnDXO3Cw6DGU2ha5fDD5Fr9CQQAv66jMf6NxMOLSWp8948HD9R3e4Idl49YaoVqlWKqFyywQapFQX99wIDAQAB"mail._domainkey.saundry.ca. 21600 IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3k4A5sEyZVVCMAz7MMXS/IxX+epN0RPPVJpgSYVslzwKwQQCgaIeeemUcWUbWcxi7h6Y9rxpawpoNDd0GnSSjFj4rTtmlygTRveltRgfuEvef/P09Yoihh2XtvxTm0lcBAeLnQrZLrLc2iqRh1kBOACCnnP1c2lG4re9WJoCM2EseRTq0gYTG4CXhUsV7vJCRv0G64Dr" "lnQtgGax1KnZUocqtB4+VHExIjeGgnBmOEU6ugytYdoANCAPPwoXKvhzMkFveCCnDXO3Cw6DGU2ha5fDD5Fr9CQQAv66jMf6NxMOLSWp8948HD9R3e4Idl49YaoVqlWKqFyywQapFQX99wIDAQAB"
The server uses this public key to decrypt the DKIM signature and compares the decrypted hash with a newly generated hash of the email's content.
If the hashes match, it confirms that the email has not been altered and is indeed from the claimed sender.
This process helps ensure that the email is genuinely from the claimed sender and hasn't been tampered with.
Implementing DKIM
Webnames.ca is currently offering DKIM support upon request.
Prerequisites for DKIM
Your domain’s email must be hosted by Webnames.ca.
You must have access to your domain’s DNS settings to add a TXT record.
All legitimate emails for your domain must originate from Webnames.ca. No other platforms or email systems can be used to send emails from your domain.*
Process for enabling DKIM
Ensure that all the aforementioned prerequisites are met.
Contact Webnames support staff and make a request to have DKIM enabled on your domain, clearly specifying the domain name.
Webnames.ca will provide you with the required DKIM record details, including:
DKIM Record Name:
mail._domainkey.[yourdomain.com]DKIM Record Value: A long, encoded string for validation.
Add the DKIM record to your domain’s DNS:
If Webnames hosts your DNS, their support staff will add the record for you.
If Webnames does not host your DNS, their support team will provide you with the record details which you need to apply via your DNS provider.
Notify Webnames.ca once the record is added to your DNS. They will verify the record and enable DKIM on their mail servers.
After verification, DKIM will be enabled for your domain name.
How to Confirm DKIM is Enabled
Once the required DKIM record is added to your DNS, Webnames.ca will verify the record. Typically, the DNS record must be correctly propagated for activation. If DKIM is enabled, it confirms that your emails are authenticated, securing your domain's email traffic.
*This limitation is subject to change over time. Technically speaking, in order to allow multiple sources/platforms to all be considered legitimate sources of DKIM-signed email, each mail provider/platform must sign their outbound email using a unique selector value (e.g. "mail."), and each must have a corresponding DKIM record in the domain's DNS zone.