Why DKIM Only Isn’t Safe Enough
DomainKeys Identified Mail (DKIM) is a cornerstone of email security. By providing a cryptographic signature, it ensures that an email message has not been altered in transit and that it originates from the domain it claims to.
What is DKIM?
An open standard for email authentication, DKIM is published in a domain’s DNS. With roots going back to 2005, DKIM is one of two ways that DMARC uses to link an email to a sending domain.
To use DKIM, email servers are configured to attach special DKIM signatures to emails they send. You can think of these signatures as encrypted domain seals that protect an email from being altered in transit. These signatures travel with the emails and are verified along the way by each email server that conducts the emails in their journey to their ultimate destination.
How does DKIM work?
When an inbound mail server receives a message, it looks for the DKIM signature and checks the sender’s public DKIM key in DNS. The DKIM selector provided in the DKIM signature is used to determine where to look for this key. If the key is found, it is used to decrypt the DKIM signature. This is then compared to the values retrieved from the received mail. If they match, the DKIM is valid.
Risks of Relying on DKIM Alone for Email Security
Given advanced phishing techniques, including extensive AI systems and criminal Phishing-as-a-Service business models, relying on DKIM alone is a slippery slope. While it authenticates the integrity of the message and services forwarding, DKIM does not stop attackers from domain impersonation. DKIM should be part of a broader email security strategy that includes SPF and DKIM as the foundation for DMARC.
DKIM validates integrity, not identity
DKIM proves that the message body and certain headers (like From) were not changed by a third party. But it doesn’t prevent an attacker from generating a valid signature for a malicious email sent from a domain they control.
Lack of Alignment with the visible From header
The biggest weakness of DKIM alone is that it does not mandate that the domain validated by the signature (d= tag) matches the user-visible From address.
DKIM doesn’t control what happens to authentication failures
DKIM allows a server to verify a message, but it doesn’t instruct the receiving server on what to do if the check fails. An email lacking a DKIM signature might still be delivered to the inbox, or a broken signature might only slightly penalize the message’s spam score. Only the DMARC policy tells the receiving server what action to take.
Why these three email authentication pillars are necessary
DKIM is not a standalone solution; it is a component of an integrated email authentication framework. For optimal phishing protection, use these controls:
- SPF: Validates which IP addresses are authorized to send email for your domain.
- DKIM: Ensures message content integrity.
- DMARC: Authenticates email by aligning SPF and DKIM mechanisms and gives the domain owner control to quarantine or reject messages that fail.
DMARC requires that the domain used for DKIM validation must match the From header domain.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
