Common DKIM Mistakes to Avoid for Efficient Email Authentication
DomainKeys Identified Mail (DKIM) is an email authentication protocol that effectively detects if an email has been sent from a forged sender’s address. It allows the receiver to verify that whether or not an email that claims to have been sent from a specific domain has been authorized by that domain’s owner. It affixes a digital signature, linked to a domain name, to every outgoing email. The receiving server can then verify the signature using the sender’s public key published in the DNS. A valid DKIM signature helps in making sure that certain parts of the email have not been modified since the signature was affixed.
Read more about DKIM
Working alongside Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC), DKIM prevents malicious actors from spoofing your domains and sending fraudulent emails on your behalf.
Read more about SPF
Serving as the best defense against phishing and spoofing, DKIM is a boon to email security. However, there are several instances where DKIM failed the check even when the email was legitimate. If this happens to you, even your legitimate emails will sometimes fail to deliver, causing a lot of trouble.
Read more about Email Security
To avoid such a situation, it is essential to make sure that your domain’s DKIM is configured properly. Here are some common DKIM mistakes that you should carefully avoid to ensure efficient email authentication and high email deliverability.
Read more about Configure DKIM
#1 Improper DKIM Alignment
One of the most common and troubling DKIM mistakes witnessed these days is that the DKIM signature domain and sender (Header From) domain do not align. For an email to pass the DKIM alignment, the d= value in the Header From address must match the d= value in the DKIM signature. When DKIM alignment fails, it can adversely affect deliverability as your emails maNy be sent to the spam folder or be blocked entirely. To make sure this doesn’t happen, make sure that all your emails are being signed by one DKIM signature and that it is aligned correctly.
Read more about How to Increase Domain Reputation & Email Deliverability?
#2 Incorrect DKIM Public Key Record in the DNS
The DKIM public key is published as a DNS record. Having the incorrect DKIM public key record in the DNS can cause problems when it comes to DKIM authentication of your outbound emails. This public key can span across several lines and consist of a combination of numbers, special characters and both uppercase and lowercase letters. It can be tricky to manually type this record as it is to publish the key on the DNS. For this reason, most domain owners copy-paste the key into the configuration window. While doing this, they often inadvertently add newline characters or whitespace, which breaks the public key. If you want your emails to smoothly undergo and pass DKIM authentication, it is essential to make sure that your DKIM public key is published correctly in the DNS.
Read more about Outbound Email Security Policy
#3 Widespread Key Sharing
Every unique mail stream belonging to a brand or entity should have its own dedicated DKIM key. If you don’t mix and match DKIM keys between different mail streams, only a single brand or stream risks being affected in case a DKIM key is compromised. However, DKIM is a little complex and proper key management can be time-consuming and tedious. For this reason, domain owners often use the same key across many of their brands and mail streams, which is another one of the biggest DKIM mistakes people make. While a shared key’s simplified configuration can make implementation easier, it also creates a critical vulnerability. In such cases, compromising a single key provides threat actors with complete access to all your mail streams, which can have devastating effects on your business and reputation.
#4 Lack of Key Rotation
It is advisable to change the DKIM key (called key rotation) regularly, with the most recommended frequency being 3–4 times every year. Key rotation helps you make sure that even if a key is compromised, it can only be used for a short time. Once the existing key is rotated out and replaced by a new key, it becomes useless and cannot be exploited by the hackers anymore. However, key rotation usually requires the domain owner to manually update one or more DNS records. For this reason, this practice is not very popular and DKIM keys are often set once, never to be changed again. In fact, numerous DKIM keys are 5–10 years old in production!
Read more about DKIM Key Rotation
#5 Unsecure Key Storage
When it comes to DKIM implementation, one essential thing to keep in mind is that the security of your DKIM key is very important. Compromised DKIM keys are very valuable for hackers as they can be used to impersonate senders and remain virtually undetected. It is highly advisable to ensure distributed and encrypted key storage. Domain owners often store the keys for all the sending domains in a central database in plaintext. While centralized, plain text key storage can significantly simplify key management and distribution to the mail servers, it also makes it exceedingly easy for hackers to steal all your keys during a breach.
While the importance of DKIM in email security is unrivaled, it can also be a little intimidating and stressful to implement. However, if you take certain precautions and be careful to avoid the mistakes mentioned above, you can enjoy the full benefits offered by this email authentication protocol.
Did we miss any other common DKIM mistakes? Let us know in the comments below!
Originally published at https://blog.kdmarc.com on October 25, 2021.
