First look at DKIM2: The next generation of DKIM

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records.

Now in 2024, DKIM is ready for a facelift, with the introduction of DKIM2, designed to update and replace the existing DKIM1 solution.

What is DKIM?

DKIM is a protocol currently defined by RFC 6376 that uses cryptographic hashes to verify that an email originates from or passed through the claimed mail server and has not been further altered in transit.

This is done using asymmetric encryption, which pairs a public and private key. The private key is held securely by the sender’s mail server and is used to create a digital signature on the email. Meanwhile, the public key is published in the sender’s DNS records, making it accessible for recipients to verify the authenticity of received messages.

When an email is sent, the headers and body are signed with the private key to generate a unique digital signature included as a header in the message. On the recipient’s side, if DKIM is supported, the server retrieves the public key from the sender’s DNS to check if the email was genuinely signed by the sender’s domain. A successful signature verification confirms that the message was indeed sent by the identified domain and that its contents remained intact during transit. It is worth remembering that DKIM itself does not block or allow any email; DMARC does this in conjunction with the DKIM signature passing authentication and alignment of the domain of the signature.

Introducing DKIM2

DKIM2 is the proposed successor of DomainKeys Identified Mail (DKIM1). Building on the foundation of DKIM1, DKIM2 introduces stronger cryptographic standards and improved compatibility with intermediary mail servers that forward emails or otherwise manipulate them. These upgrades enhance the reliability of email authentication, helping to prevent email spoofing and phishing attacks while making it easier for organizations to protect their domains in an increasingly complex digital landscape.

In addition to improved security features, DKIM2 streamlines key management, allowing for easier and more frequent rotation of cryptographic keys to maintain security standards. It also enhances reporting and transparency, enabling organizations to monitor email traffic more effectively and quickly identify any unauthorized use of their domain. These enhancements make DKIM2 a valuable tool for organizations looking to strengthen email security and reduce the risk of fraudulent messages.

How will DKIM2 benefit my organization? 

DKIM2 will offer organizations several advantages over DKIM1 by addressing some of the limitations in the original protocol, making email authentication more secure and adaptable to modern email ecosystems. Here are some key ways DKIM2 improves support for organizations:

  1. Enhanced cryptographic standards: DKIM2 introduces stronger cryptographic algorithms, reducing vulnerabilities to advanced attacks and providing better protection for high-volume email domains and organizations handling sensitive information. It also reduces cryptographic calculations on large mail providers by only checking the first signature if the message was not altered.
  2. Forwarder flexibility and resilience: DKIM2 introduces a key point to help mitigate and increase resilience against intermediary forwarding such as mailing lists. DKIM2 will ask mailing lists or other forwarders that alter any headers to record the previous header contents to undo for checking purposes. Coupled with the numbered signatures, this makes it easy to verify the email at every step.
  3. Greater transparency and reporting: DKIM2 includes expanded reporting capabilities, allowing organizations to receive detailed information on DKIM-related authentication failures and insights into potential misuse through feedback loops. This helps in monitoring and quickly responding to unauthorized use of their domains.
  4. Improved key management and rotation: DKIM2 provides streamlined key rotation practices, making it easier for organizations to regularly update their cryptographic keys and minimize the risks associated with compromised or outdated keys.

In short, DKIM2 is designed to offer greater resilience, security, and operational ease, making it a more robust solution for protecting organizational email domains against modern email threats. While still under draft and subject to changes, DKIM2 will bring many improved benefits for users soon.

If you’re looking to enhance your email security, speak to the Red Sift team today.

PUBLISHED BY

Faisal Misle

5 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Why DMARC should top your MSP roadmap in 2025

Jack Lilley

Executive summary: Email remains the easiest way for criminals to reach customers, and major mailbox providers have decided that unauthenticated mail is no longer welcome. Google and Yahoo started rejecting bulk messages without DMARC in early 2024, and Microsoft 365 will follow in 2025. Yet only 9.7% of the world’s 73 million active domains…

Read more
Product Release

Red Sift’s 2025 Spring Quarterly Product Release

Francesca Rünger-Field

This Spring, we’ve delivered targeted updates to improve compliance, simplify certificate management, and strengthen infrastructure visibility—so you can take action faster and with more confidence. Highlights include: OnDMARC BIMI: Now with full Digicert & CMC support OnDMARC customers that wish to improve trust in their emails and boost open rates by implementing BIMI through…

Read more
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more