DKIM: The DMARC’s Right Hand
In the previous blog of the DMARC (Domain Message Authentication, Reporting, and Conformance) thread, we discussed the SPF(Sender Policy Framework) in brief. But as we know, implementing SPF alone is not enough to mitigate the email spoofing and phishing risk. This is the reason we use DKIM (Domain Key Identified Mail). Both SPF and DKIM enable us to handle and mitigate the email spamming on an advanced level. Let us discuss DKIM in brief.
What is DKIM (Domain Key Identified Mail)?
Domain Key Identified Mail is an email authorization mechanism that uses a signature-based technique to validate the email. It is used to detect email phishing or email spamming. This setting of DMARC provides a way to counter phishing and other manipulation mechanisms in email traffic. DKIM attaches a new domain name identifier or cryptography to validate the email.
How does DKIM Work?
Like SPF (Sender Policy Framework), Domain key Identified Mail is also used by DMARC (Domain Mail Authentication, Reporting, and conformation). DKIM uses signature-based techniques for validation and authorization of the email.
When an email is sent, it is signed by using the private key of the sender. When the email reaches the receiving email server, it is validated using the public key present in the DNS.
The key that is used to sign and validate, whether the email is not forged and is unique. This process verifies the integrity of the data, hence ensuring that the data is not changed during the transit.
Let us see this with an example:
Here in the above figure, the sender email server is sending the email by signing it with its private key and is giving the data of the key parallelly to the DNS placed in the cloud for the DNS record.
Now, when the receiving mail server gets the email, it checks from the DNS for the public key to verify the email. If the key given by the DNS verifies the DKIM signature, the mail is authorized and is visible in the inbox.
What is DKIM Record?
Domain Key identified Mail uses the DNS TXT record with a special format. When an email is sent, it signs the email with a private key and this is validated by the public key in the DNS. This public key is recorded in the DNS TXT record, which is used by the receiving server to verify and validate the email.
These records are revoked and renewed based on the different providers. Unlike the SPF, which can only register 10 records in the DNS TXT record, DKIM can store many records based on the various sending sources.
DKIM record is identified using the selector. A DKIM selector is specified when the private/public key pair is created when Domain Key Identified Mail is set up for the email domain (or email sender), and it can be any arbitrary string of text. The selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent.
Flowchart of the DKIM Process
As we have discussed, the email is sent by signing the email with its public key. Now, this signature is added and included in the header of the email. When the email reaches the receiver mail server, DKIM-Signature is extracted from the email header.
This email header will have the domain name in it, that will be fetched from the DKIM record. Along with the domain name, there will be the selector that will hold the signature of the specific mail in the DNS TXT record. This signature will be sent back by the DNS to the receiver mail server.
This signature will be the public key in the DNS TXT record, that was stored against the selector. If the public key, used, verifies that the data of the email sent from the sender’s mail server is unchanged, then the email is authorized. Else, it is scrapped, and the appropriate action is taken based on the deployed DMARC policy.
To strengthen the security framework and to mitigate the email risks, it is advisable to use both DKIM and SPF together. It is the best practice to use them together as they provide security against email spamming and email spoofing. So this was the last blog of the DMARC trio-thread. We will be covering more information on the same in the coming blogs.