DKIM: What is it and why is it important?
It goes without saying that email authentication is very important for safe and effective communication between businesses and clients.
Internet service providers (ISP) do their best to protect users from phishing, spoofing, and other similar attacks using the tools at their disposal. In 2020, the industry saw a huge increase in spoofing, and marketers had to embrace security best practices as ISPs began to clamp down on what they would allow into their networks.
DKIM, along with SPF and DMARC, is one of the most ubiquitous email validation methods out there.
It’s considered an internet standard by the IETF (Internet Engineering Task Force) and marketers increasingly embrace its merit in terms of solving deliverability issues.
So what is DKIM?
DomainKeys Identified Mail (DKIM) is an email authentication technique used to ensure the recipient that the message hasn’t been altered in transit.
Cyber attacks such as spoofing are based on impersonating a valid sender by altering the origin of a message. While a message might seem like it’s coming from a trusted source, the attacker is actually sending an email on behalf of a legitimate address. ISPs are left with no choice but to isolate suspicious traffic to protect their users.
DKIM is often described as a digital handshake developed to signal safe traffic and it uses public-key cryptography to authenticate the sender.
You might be thinking that “public” and “cryptography” don’t belong together — and usually you'd be right. It's even more confusing given that public key cryptography exclusively refers to the use of signature keys that are accessible to anyone. So what gives?
Let’s take a closer look at the elements and the verification process to grasp how public key cryptography works.
One server sends the message while the other receives it, and they need to make sure no one meddles with the message they exchange. To achieve this, a pair of keys are used: one private and one public for each server.
So, there are a total of four keys and they are used to validate the message. The public set of keys is shared between the servers and it can be openly distributed.
A sender would add the public key in the DNS records for its domain, thus enabling other (recipient) servers to verify the origin of the message.
The private DKIM key is to be kept safe and secret.
The sender signs the message with a DKIM signature included in the email header. The recipient will extract this DKIM signature and contrast it with the DNS record for that domain.
If the validation shows that the message was not changed, the message is delivered. Those of you that still have questions about this encryption method (and want to learn more) would welcome the following color analogy used to explain how public key cryptography works.
DKIM is the standard
The fact that a receiver can determine who is responsible for the message is the biggest benefit of using DKIM email authentication.
Its utility in regard to email marketing doesn’t stop there, though. Web content produced for your campaign is less likely to be labeled as spam if you use DKIM when the messages go through spam filters. You see, spammers would not use DKIM to do what they do, or if they do it, they will do it incorrectly. And finally, you will be considered a reliable sender if you take the effort to implement DKIM.
Let’s take a closer look at that.
Most of the ISPs that are household names (Yahoo, AOL, Gmail, and the like) use DKIM to authenticate incoming messages. Chances are, a large majority of your client base uses these email providers to get your message. These ISPs go the extra mile to ensure their users are protected. That’s why they keep track of the sending reputation for your domain – mostly based on metrics about spam, bounces, and engagement. Adopting DKIM as an email authentication standard for your traffic will help you move in lockstep and will complement your efforts in tailoring safe and spam-free content.
So what does DKIM not do?
As you may have already guessed, DKIM authentication is not all-encompassing, hence the use of so many other tools to keep the channel safe. While it can successfully validate the source, DKIM record is not able to guarantee that the email content is safe.
The recipients’ server (ISP) will use its own rules to decide how to process the message; that is, if there is no active DMARC policy that ISPs can follow to handle certain types of traffic. Sometimes DMARC is set to strict settings (usually for entities sharing credit card details), and if the message has to pass both SPF and DKIM to be delivered, then the recipient server will process it accordingly. For the record, DKIM doesn’t encrypt the content of the message. It simply creates a signature (or digital handshake if you will) to recognize the sender.
Let’s not get ahead of ourselves though.
Everyone can try to set up their own DKIM, and if you try to do it but you don’t know how, you expose your sender reputation to unnecessary risk. Incorrect implementation of a DKIM authentication is typical for spammers.
Regardless how legitimate your marketing business is, if you make a mistake with the DKIM record, the big ISPs will treat you like a spammer.
Whilst some email marketing providers will help do all this DKIM stuff for you it doesn’t mean that you can forget about your DKIM signature; quite contrary, you need to make an effort to check how they configure the whole setup.
Some will allow you to update private DKIM keys on a regular basis (for increased safety), however there are aspects of the process that are different for each platform that offers to manage your DKIM and SPF.
What does the DKIM tag contain?
A typical example of DKIM-Signature is a DNS TXT record put together in a special format. It consists of “tag” and “value” pairs that include data on the sender, data on the message itself and the public key location.
DKIM-Signature: v=1; a=rsa-sha256; d=example.io; s=news; c=relaxed/relaxed; q=dns/txt; t=1117574938; x=1118006938; h=from:to:subject:date:keywords:keywords; bh=PGYbTRE4Jdf0JUInVaQ2Vsd3IUYkCsD2NMK3HGsdGFA=; b=kjlGcIsGFRhVAsTOv78=F1x7GmUYsEbuSfde+oiV5zBrriuL44fhwWMog6UIOVjYfWhfetUHY6kfk
v – stands for version (and is always 1) a – stands for the algorithm used to encrypt the signature (rsa-sha256 is most common and considered safest) d – stands for the domain of the sender bh – stands for hashed message body b – stands for digital signature of both headers and body, hashed using the same function
These are but some of the mandatory “tag=value” pairs that make DKIM authentication possible.
Other mandatory tags would be “t” (signature timestamp), “h” (list of headers), and “c” (canonicalization algorithm), and they mostly concern metadata that can be used to make hash values discernment an easier task.
DKIM signature can also have a number of optional tags. For example, the “x” optional tag shows the expiry date of the signature and is used to inform the receiver about the rotation cycle of signatures. If a message contains the same DKIM signature past its expiry time (x) the verification will fail.
Those of you that aren’t as technical and encounter DKIM records for the first time should not be discouraged if this seems too complex. There are a lot of free online tools that can help you check your DKIM. Email marketing platforms also provide assistance in configuring and testing DKIM signatures, so you will easily find guidance if needed.
DKIM, SPF, and DMARC – can I skip any of these?
Each of these email validation methods has its place in ensuring safe communication. None of them is foolproof, so using all of them is standard practice. And they are all related. You simply can’t set up a DMARC policy (insert a link to “DMARC Email Authentication for Marketers” on the Bento blog here) without active DKIM and SPF. The validation protocol for DMARC (Domain-based Message Authentication, Reporting, and Conformance) is based on prioritizing between the two, and for strict policies, both DKIM and SPF need to align for a message to be delivered.
SPF (Sender Policy Framework) is used to determine whether a server can send an email for a domain. This is quite different relative to exchanging keys to authenticate a sender, or what DKIM does.
And, truth be told, you can’t drop any of these three and expect to avoid deliverability issues for your marketing campaign.
The relevance of prevalent email authentication methods is too great for you to ignore it. Big servers like Yahoo, Gmail, and Outlook put a lot of trust into these techniques so it’s best to follow suit. Methods like DKIM and SPF have become a benchmark that contributes to better deliverability.
Particularly if they are employed to ensure DMARC compliance. If you are not savvy in this sphere of your profession, go for someone who knows what they are doing, but don’t understate the value of keeping up with the latest standards in the game.