First look at DKIM2: The next generation of DKIM

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records.

Now in 2024, DKIM is ready for a facelift, with the introduction of DKIM2, designed to update and replace the existing DKIM1 solution.

What is DKIM?

DKIM is a protocol currently defined by RFC 6376 that uses cryptographic hashes to verify that an email originates from or passed through the claimed mail server and has not been further altered in transit.

This is done using asymmetric encryption, which pairs a public and private key. The private key is held securely by the sender’s mail server and is used to create a digital signature on the email. Meanwhile, the public key is published in the sender’s DNS records, making it accessible for recipients to verify the authenticity of received messages.

When an email is sent, the headers and body are signed with the private key to generate a unique digital signature included as a header in the message. On the recipient’s side, if DKIM is supported, the server retrieves the public key from the sender’s DNS to check if the email was genuinely signed by the sender’s domain. A successful signature verification confirms that the message was indeed sent by the identified domain and that its contents remained intact during transit. It is worth remembering that DKIM itself does not block or allow any email; DMARC does this in conjunction with the DKIM signature passing authentication and alignment of the domain of the signature.

Introducing DKIM2

DKIM2 is the proposed successor of DomainKeys Identified Mail (DKIM1). Building on the foundation of DKIM1, DKIM2 introduces stronger cryptographic standards and improved compatibility with intermediary mail servers that forward emails or otherwise manipulate them. These upgrades enhance the reliability of email authentication, helping to prevent email spoofing and phishing attacks while making it easier for organizations to protect their domains in an increasingly complex digital landscape.

In addition to improved security features, DKIM2 streamlines key management, allowing for easier and more frequent rotation of cryptographic keys to maintain security standards. It also enhances reporting and transparency, enabling organizations to monitor email traffic more effectively and quickly identify any unauthorized use of their domain. These enhancements make DKIM2 a valuable tool for organizations looking to strengthen email security and reduce the risk of fraudulent messages.

How will DKIM2 benefit my organization? 

DKIM2 will offer organizations several advantages over DKIM1 by addressing some of the limitations in the original protocol, making email authentication more secure and adaptable to modern email ecosystems. Here are some key ways DKIM2 improves support for organizations:

  1. Enhanced cryptographic standards: DKIM2 introduces stronger cryptographic algorithms, reducing vulnerabilities to advanced attacks and providing better protection for high-volume email domains and organizations handling sensitive information. It also reduces cryptographic calculations on large mail providers by only checking the first signature if the message was not altered.
  2. Forwarder flexibility and resilience: DKIM2 introduces a key point to help mitigate and increase resilience against intermediary forwarding such as mailing lists. DKIM2 will ask mailing lists or other forwarders that alter any headers to record the previous header contents to undo for checking purposes. Coupled with the numbered signatures, this makes it easy to verify the email at every step.
  3. Greater transparency and reporting: DKIM2 includes expanded reporting capabilities, allowing organizations to receive detailed information on DKIM-related authentication failures and insights into potential misuse through feedback loops. This helps in monitoring and quickly responding to unauthorized use of their domains.
  4. Improved key management and rotation: DKIM2 provides streamlined key rotation practices, making it easier for organizations to regularly update their cryptographic keys and minimize the risks associated with compromised or outdated keys.

In short, DKIM2 is designed to offer greater resilience, security, and operational ease, making it a more robust solution for protecting organizational email domains against modern email threats. While still under draft and subject to changes, DKIM2 will bring many improved benefits for users soon.

If you’re looking to enhance your email security, speak to the Red Sift team today.

PUBLISHED BY

Red Sift

5 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Mail Check is Changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more