First look at DKIM2: The next generation of DKIM

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records.

Now in 2024, DKIM is ready for a facelift, with the introduction of DKIM2, designed to update and replace the existing DKIM1 solution.

What is DKIM?

DKIM is a protocol currently defined by RFC 6376 that uses cryptographic hashes to verify that an email originates from or passed through the claimed mail server and has not been further altered in transit.

This is done using asymmetric encryption, which pairs a public and private key. The private key is held securely by the sender’s mail server and is used to create a digital signature on the email. Meanwhile, the public key is published in the sender’s DNS records, making it accessible for recipients to verify the authenticity of received messages.

When an email is sent, the headers and body are signed with the private key to generate a unique digital signature included as a header in the message. On the recipient’s side, if DKIM is supported, the server retrieves the public key from the sender’s DNS to check if the email was genuinely signed by the sender’s domain. A successful signature verification confirms that the message was indeed sent by the identified domain and that its contents remained intact during transit. It is worth remembering that DKIM itself does not block or allow any email; DMARC does this in conjunction with the DKIM signature passing authentication and alignment of the domain of the signature.

Introducing DKIM2

DKIM2 is the proposed successor of DomainKeys Identified Mail (DKIM1). Building on the foundation of DKIM1, DKIM2 introduces stronger cryptographic standards and improved compatibility with intermediary mail servers that forward emails or otherwise manipulate them. These upgrades enhance the reliability of email authentication, helping to prevent email spoofing and phishing attacks while making it easier for organizations to protect their domains in an increasingly complex digital landscape.

In addition to improved security features, DKIM2 streamlines key management, allowing for easier and more frequent rotation of cryptographic keys to maintain security standards. It also enhances reporting and transparency, enabling organizations to monitor email traffic more effectively and quickly identify any unauthorized use of their domain. These enhancements make DKIM2 a valuable tool for organizations looking to strengthen email security and reduce the risk of fraudulent messages.

How will DKIM2 benefit my organization? 

DKIM2 will offer organizations several advantages over DKIM1 by addressing some of the limitations in the original protocol, making email authentication more secure and adaptable to modern email ecosystems. Here are some key ways DKIM2 improves support for organizations:

  1. Enhanced cryptographic standards: DKIM2 introduces stronger cryptographic algorithms, reducing vulnerabilities to advanced attacks and providing better protection for high-volume email domains and organizations handling sensitive information. It also reduces cryptographic calculations on large mail providers by only checking the first signature if the message was not altered.
  2. Forwarder flexibility and resilience: DKIM2 introduces a key point to help mitigate and increase resilience against intermediary forwarding such as mailing lists. DKIM2 will ask mailing lists or other forwarders that alter any headers to record the previous header contents to undo for checking purposes. Coupled with the numbered signatures, this makes it easy to verify the email at every step.
  3. Greater transparency and reporting: DKIM2 includes expanded reporting capabilities, allowing organizations to receive detailed information on DKIM-related authentication failures and insights into potential misuse through feedback loops. This helps in monitoring and quickly responding to unauthorized use of their domains.
  4. Improved key management and rotation: DKIM2 provides streamlined key rotation practices, making it easier for organizations to regularly update their cryptographic keys and minimize the risks associated with compromised or outdated keys.

In short, DKIM2 is designed to offer greater resilience, security, and operational ease, making it a more robust solution for protecting organizational email domains against modern email threats. While still under draft and subject to changes, DKIM2 will bring many improved benefits for users soon.

If you’re looking to enhance your email security, speak to the Red Sift team today.

PUBLISHED BY

Red Sift

5 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more