In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records.
Now in 2024, DKIM is ready for a facelift, with the introduction of DKIM2, designed to update and replace the existing DKIM1 solution.
What is DKIM?
DKIM is a protocol currently defined by RFC 6376 that uses cryptographic hashes to verify that an email originates from or passed through the claimed mail server and has not been further altered in transit.
This is done using asymmetric encryption, which pairs a public and private key. The private key is held securely by the sender’s mail server and is used to create a digital signature on the email. Meanwhile, the public key is published in the sender’s DNS records, making it accessible for recipients to verify the authenticity of received messages.
When an email is sent, the headers and body are signed with the private key to generate a unique digital signature included as a header in the message. On the recipient’s side, if DKIM is supported, the server retrieves the public key from the sender’s DNS to check if the email was genuinely signed by the sender’s domain. A successful signature verification confirms that the message was indeed sent by the identified domain and that its contents remained intact during transit. It is worth remembering that DKIM itself does not block or allow any email; DMARC does this in conjunction with the DKIM signature passing authentication and alignment of the domain of the signature.
Introducing DKIM2
DKIM2 is the proposed successor of DomainKeys Identified Mail (DKIM1). Building on the foundation of DKIM1, DKIM2 introduces stronger cryptographic standards and improved compatibility with intermediary mail servers that forward emails or otherwise manipulate them. These upgrades enhance the reliability of email authentication, helping to prevent email spoofing and phishing attacks while making it easier for organizations to protect their domains in an increasingly complex digital landscape.
In addition to improved security features, DKIM2 streamlines key management, allowing for easier and more frequent rotation of cryptographic keys to maintain security standards. It also enhances reporting and transparency, enabling organizations to monitor email traffic more effectively and quickly identify any unauthorized use of their domain. These enhancements make DKIM2 a valuable tool for organizations looking to strengthen email security and reduce the risk of fraudulent messages.
How will DKIM2 benefit my organization?
DKIM2 will offer organizations several advantages over DKIM1 by addressing some of the limitations in the original protocol, making email authentication more secure and adaptable to modern email ecosystems. Here are some key ways DKIM2 improves support for organizations:
- Enhanced cryptographic standards: DKIM2 introduces stronger cryptographic algorithms, reducing vulnerabilities to advanced attacks and providing better protection for high-volume email domains and organizations handling sensitive information. It also reduces cryptographic calculations on large mail providers by only checking the first signature if the message was not altered.
- Forwarder flexibility and resilience: DKIM2 introduces a key point to help mitigate and increase resilience against intermediary forwarding such as mailing lists. DKIM2 will ask mailing lists or other forwarders that alter any headers to record the previous header contents to undo for checking purposes. Coupled with the numbered signatures, this makes it easy to verify the email at every step.
- Greater transparency and reporting: DKIM2 includes expanded reporting capabilities, allowing organizations to receive detailed information on DKIM-related authentication failures and insights into potential misuse through feedback loops. This helps in monitoring and quickly responding to unauthorized use of their domains.
- Improved key management and rotation: DKIM2 provides streamlined key rotation practices, making it easier for organizations to regularly update their cryptographic keys and minimize the risks associated with compromised or outdated keys.
In short, DKIM2 is designed to offer greater resilience, security, and operational ease, making it a more robust solution for protecting organizational email domains against modern email threats. While still under draft and subject to changes, DKIM2 will bring many improved benefits for users soon.
If you’re looking to enhance your email security, speak to the Red Sift team today.
