DKIM: Fight Spam and Forged Email by Signing your Messages

December 5th, 2011

LuxSci has long supported SPF for inbound and outbound email.  SPF is a mechanism by which you can specify what servers are permitted to send email for your domain … and identify email from other places that may be fraudulent. This helps stop inbound Spam and helps ensure that your own messages are distinguished from any fraudulently sent ones by your recipients.

DKIM (DomainKeys Identified Mail) is the other standard for preventing email forgery.  DKIM works by cryptographically signing each email message sent.  The recipients can use information published in your DNS settings to verify if the message was sent from an approved location (e.g. the signature is valid) and that it has not been modified in transit.

LuxSci now supports DKIM for both inbound and outbound email.

See our online DKIM Generator Tool.

Inbound Email: DKIM for Spam Filtering

LuxSci’s Basic Spam Filtering service now automatically supports DKIM to help determine if messages are legitimate or spam.  Messages that should have DKIM signatures (but do not) or which have invalid signatures are much more likely to be Spam.   For example, all messages from @paypal.com and @ebay.com (among others) should always be signed using DKIM (according to these companies).  Any messages that are not should be treated as 100% Spam.  This by itself goes a long way to stop the prevalence of forged message from these domains.

Basic Spam Filtering:

  • Treats properly signed messages as slightly less spam-like
  • Treats messages from organizations that say that all messages should be signed as spam if they are not signed or the signature is invalid
  • Treats messages from organizations that say that all messages should be signed AND that messages should be discarded if not, as 100% spam if they are not signed or the signature is invalid.  This overrides any “white list” settings that you may have.
If you use DKIM for your domain and have it configured so that all messages must be signed and any that are not should be discarded — then inbound messages forged to be from your domain (a very common thing) which are not properly signed will be treated as spam even if your domain is white listed.
LuxSci’s Premium Email Filtering service (provided through our partnership with McAfee) supports DKIM; additionally, both Premium Email Filtering users and Basic Filtering users can create “Custom Email Filters” in their LuxSci accounts to match messages that:
  • Are properly DKIM signed, or
  • Are missing a required DKIM signature or have an invalid DKIM signature, or
  • Are DKIM-neutral (e.g. neither of the above)
and do things with them (like flagging them or saving them to a folder).

Outbound Email: DKIM for Signing

LuxSci now provides all customers who send outbound email through LuxSci with the ability to have all of that email signed via DKIM.  Customers can find a “DKIM” control panel under their “Advanced Account Administration > Email” configuration area.  There, they can:
  • Create DKIM configurations for any domains that their users send email From
  • Get the specific settings needed for updating their domain’s DNS settings to publish the DKIM verification information.
Customers can define DKIM settings for any number of domains in their account … and those settings will only be usable by users of their accounts.  Of course, these DKIM settings are not useful unless the customer can update the DNS settings for these domains with the required TXT records.
Customers using the shared luxsci.net and luxsci.me domains will automatically have all outbound email from their luxsci.net and luxsci.me addresses signed with DKIM — no configuration is needed.
LuxSci highly recommends that its customers begin using DKIM for their outbound email.  DKIM goes a long way towards validating legitimate email and protecting yourself and others against forged email.