Email Security – What Is DKIM And Why Should I Use It?

In the second in a series of Blog Posts about email security and deliverability,  I set out to explain what DKIM is and why you should use it.

DKIM or Domain Keys Identified Mail signature is an email authentication method, which allows your outgoing mail server to sign outgoing mail thus providing the receiving mail server with a mechanism to check that incoming mail from a domain is genuine.  DKIM allows the receiver to check that an email claiming to come from a specific domain was indeed authorised by that domains administrator. This is achieved by the use of Public-Private key cryptographic authentication and whilst that might sound very technical it’s actually a rather simple validation system that was introduced to help detect email spoofing and provide authentication of email.  

DKIM uses Public Key Digital Signature Encryption: this is a pair of numbers and a one way mathematical formula allows you to encrypt a message which anyone can decrypt with your public key, if the message does not decrypt successfully with your public key, it did not come from you because only you (hopefully) have access to your private key.  It is not normally possible to calculate your private key from your public key without a vast amount of data and very very large supercomputers.

Here’s how it works;  

You publish a public key in the publicly accessible Domain Name System (DNS) records for your domain in the form of a specially formatted TXT record. If you have more than one mail server or system you would publish one record for each email system.

When you send an email the mail system adds an encrypted header to the message, a string of text is created using your private encryption key and is not displayed to the recipient (see Email headers).  

The receiving mail server seeing the encrypted signature in the mail header looks in the DNS records for your public key.  It then checks the encrypted signature and verifies the authenticity of the message. Or otherwise treats the message accordingly for spam filtering.

One of the key limitations of DKIM is that if no encrypted signature is present in the mail headers, the receiving system will not check for a DKIM record in the sending domain’s DNS records.  Thus DKIM helps to ensure genuine mail is delivered but has little effect at preventing spoofing or spam mail from also being delivered. For that effect, we have to turn to DMARC records.

However by using DKIM, you allow the receiving mail system to verify that the mail is genuine thus increasing the odds that the email will pass that recipient’s spam filtering system.  This is what we call “Increased Deliverability”.

If you are a Welgo Customer or a Welgo Google for Work Customer we will have created a DKIM record for your Primary Email system, however, any third party systems you use to send email such as an email marketing system should also have its own DKIM record added. If you have any questions about these records or email security in general, please just call Welgo  helpline on 0131 667 0195 or raise a support request via the Welgo Support Portal.

If you are not already a Welgo Customer please call us and one of the team will be happy arrange an appointment to discuss how Welgo can help you with your Business IT needs.