With the advancement in technology, security analysts, CISOs and CIOs in reputed organizations are coming up with innovative cybersecurity solutions. Cybercriminals are using social engineering methods for email spoofing to forge emails and send the spoofed attachments to employees within a company.
These fraudulent emails contain malicious links that may result in malware infections. They may even redirect employees to fake landing pages, asking for their corporate credentials to subsequently access valuable company assets and financial information.
Email authentication protocols are an indispensable addition to your workplace security policy. As a CISO in your company, implementing a well-rounded email authentication program to detect spoofed emails can reduce the chances of employees falling prey to social engineering attacks.
What is DKIM?
Domain Keys Identified Mail is a popular email authentication protocol used by various companies and organizations for detecting spoofed or forged emails. It is an important program that ensures that a spoofed email doesn’t get lodged into the inbox of employees. The process of authentication takes place between the email being sent by the hacker, and it reaches the concerned employees’ inbox.
DKIM checks whether a specific email that impersonates an authentic source is indeed authorized by the aforementioned source. It generally assigns a unique signature key that is attached to every outgoing email attachment. This signature is linked to the domain name of every organization’s authorized email domains. This helps in verifying emails and checking them before they land into the inboxes of employees and officials.
To gain deeper insight into the technicalities of DKIM and how it works, let us discuss the procedure for email authentication in-depth:
How Does DKIM Work?
DKIM makes use of a particular signature-based mechanism to verify the authenticity of email attachments. When an email is sent by the sender to the employees’ inbox, it is assigned a unique private key while leaving the sender’s email server. When the email reaches the server of the receiver, it is checked against the public key which is already there in the DNS. This key is matched to verify whether the received email is a spoofed email and if it has an authentic source.
The entire process has been represented in the form of a flow chart given below:
Like it has been illustrated in the above flow chart, the private key assigned to the email leaving the sender’s server is matched against the public key in the DNS with the help of a unique DKIM signature that is assigned to the email.
The signature is added to the header of the email after being sent from the sender’s email server, and it is extracted from the email header on receiving the employees’ email server. Now the header has only the domain name and the DKIM selector that holds the signature for the sent email will be verified against the DNS record. The DNS sends back the signature to the receiving party’s email server which becomes the public key in the DNS TXT record. The public key determines whether, after the completion of the entire process, the data of the email that was sent has remained unchanged since the time it left the sender’s server. If it passes the verification, suitable action is taken according to the established DMARC policy
Implementation of DKIM
A unique format of the DNS TXT record is used in DKIM. When an email is sent from a sender’s server it is assigned a unique private key, which is checked against the public key in the DNS TXT record. This public key is a check-point for the sent email attachment which will verify whether the email is spoofed or authentic. The DNS record expands based on new senders and providers as new information gets recorded with time. DKIM has this unique feature of storing an unlimited number of records of sending sources in the DNS TXT.
The whole working procedure is based on a selector that is specified while creating the private and public key pair when the DKIM is being set up for a particular email domain. This DKIM selector may be a collection of random texts and is lodged in the DKIM-signature email header in the form of s=tag when the email is sent.
Difference Between SPF and DKIM
While both SPF and DKIM are email authentication protocols but they work in dissimilar ways. Sender Policy Framework allows the sender to demarcate the specific IP addresses that are authorized to send email from a particular email domain. However, on the other hand, DKIM is that email authentication technique that assigns an encryption key and a unique digital signature to email headers so that it can be verified against the DNS records and checked for authentication.
SPF has its limitations as it fails to assign any unique key to the email headers and it works in a very linear and simple way. SPF fails to see through the sender’s email address unlike DKIM, rather it checks the IP address of the sent email against the DNS record that registers all authorized IP addresses. When the authentication process is completed, the email lands in the inbox of the receiver.
For a CISO or CIO in your organization, it is always advisable to implement a combination of SPF and DKIM with the help of a DMARC-based email authentication protocol. This makes sure that forged or spoofed emails do not land in the inbox of your company’s employees and reduce chances of phishing attacks. Implementing a robust DKIM email security protocol and complementing it with the SPF record can strengthen the cybersecurity infrastructure in your organization. DMARC policy consolidates the aforementioned protocols even further by allowing organizations to customize their email security policy, by setting to either “none”, “quarantine” or “ reject”.
Phished email addresses can still be detected by noticing minor changes made in the domain names. However, detecting a spoofed email that appears to be exactly the same as the original ID, without AI-driven cybersecurity solutions is impossible. As a CISO, it is time to upgrade your workplace security policy and implement smart cybersecurity solutions in your organization.