7 Common Misconceptions about DKIM in the Fight Against SPAM

The popularity and prevalence of DKIM in the fight against SPAM is growing such that as of August, 2014, 47% of the most popular domains in the USA are DKIM-enabled (reference); globally, that number is 38%.  The trend is steadily upward and we expect DKIM use to be pervasive within a few more years.

DKIM, Domain Keys Identified Mail, is still a magic techno-jargon black box to most people. It’s “something” you gotta “add to DNS” to help stop SPAM or make your email “appear more legitimate”.  Beyond that (and even what DNS actually is) … many people are stumbling to know what is going on.

Here are 7 misconceptions about DKIM that we have seen, and the explanations that can steer you back on  track:

1. DKIM stops SPAM

Many folks believe that enabling DKIM for their domain and DKIM filtering for their inbound email will stop SPAM from reaching them.  Certainly using DKIM filtering on your inbound email will cut down on SPAM and using DKIM for messages sent by you can help others verify your email is legitimate; however, it does not actually stop spam.  In fact, it can make some SPAM look more legitimate.

Why? DKIM merely allows the senders to digitally sign the messages they send so that you can verify that the sender really owns the sending domain and has permission to send from it.  This provides legitimacy and transparency and mitigates the ability of spammers to send spam using forged / stolen email addresses (like yours).  However, it does not stop a spammer from buying his/her own domain name, setting up DKIM on it, and sending email using that now-legitimate sending address.

DKIM will not stop SPAM, but it will force spammers to use their own email addresses, instead of forged ones.  It will stop them from stealing your email address to send email purporting to be from you.  It will make “phishing” attacks much harder (attacks where you get a forged email from your bank, for example, asking you to do something compromising).

2. DKIM can be forged since DKIM details are published in DNS

DKIM signatures cannot be forged.

Your unique DKIM key pair consists of two parts … a “private” key and a “public” key.  The private key is kept only on the servers of your email service provider and is used to sign messages. The public part is published in your DNS (so anyone can see it) and used to verify the signatures.  The public key cannot in any way be used to generate valid signatures or to determine what the secure private key is.  For more information on “asymmetric encryption,” see Section 4 of The Case for Email Security.

3. DKIM encrypts your email

DKIM does not provide any email encryption of any kind.  DKIM merely examines the message content (body and all attachments) and the content of selected headers (e.g. the subject, date, sender, and others), and makes a digital signature or fingerprint of that data.  It then adds the signature / fingerprint to the message headers so that the recipient can verify that:

1. The message was sent by someone with permission to send email for this domain (per DKIM)
2. The message content and those selected headers have not been altered in any way since sending.

DKIM signatures provide protection from: message modification and message replay, and to a small degree, identify theft, false messages, and repudiation.  They do not protect at all against eavesdropping, invasion of privacy, and unencrypted backups and data at rest.  For these you need to use some form of actual email encryption.

4. An invalid DKIM message signature means that the message was forged

Once you set up or enable use of DKIM in your inbound email filters, you will start seeing messages arrive with no DKIM signatures and invalid DKIM signatures.  It would be wrong to assume that all such messages are illegitimate.  Besides forged email, messages could arrive without a DKIM signature (even if one is supposed to exist, per the domain’s DNS settings) because:

1. Most common.  The message is arriving from a valid third party system used by the sender which is not yet enabled with DKIM.  Thus, the messages are not signed even though DNS says they should be.  A good example might be credit card receipts coming from a third party merchant services provider which appear to be from your vendor, but which are not signed as they should be.  Are they forged? Maybe not.  If the sender has vendors or servers that can’t send signed messages, then their DNS should indicate that use of DKIM by their domain is “not required”.  Not everyone sets this up properly. And things can change after DKIM is setup.
2. DKIM Signature headers could be stripped out by some email filtering or processing system that you are using.
3. The sender may not have DKIM set up yet.

Additionally, a DKIM signature could exist on the message but your systems indicate that this signature is “invalid”.  This does not always mean that the message was forged or maliciously modified.  It could mean:

1. The message was modified by inbound email filtering software, breaking the DKIM signature.  This usually happens if you are checking DKIM after the message has passed through some other filters that may do things such as:
   1.  Modify the message subject (e.g. add the prefix “SPAM: ” to it)
   2. Modify the message body.  E.g. replace images with transparent links, remove some attachments, re-write the message MIME structure, add content of any kind, etc.
2. The message was modified by the sender after the signature was added.  This is not very common.

So, before your unilaterally discard messages with missing or invalid DKIM, take care that you will not lose email from some legitimate senders and that your filters are not “messing with” your DKIM analysis in some cases.

5. Because DKIM digitally signs your email, this is the same as a PGP or S/MIME digital signature that proves who sent the message

DKIM is an electronic digital signature on a message, and like PGP and S/MIME digital signatures, it verifies if the message was modified or not and can let you know if the message was sent again (as the date cannot usually be changed without invalidating the signature).  However, DKIM does not provide identity verification like PGP and S/MIME.

With public key cryptography systems like PGP and S/MIME, each individual sender has his/her own unique key.  The recipient of such a signed message can thus verify exactly who signed and sent the message, as presumably no one else possesses the sender’s private signing key.

With DKIM, there is only one signing key for your entire domain.  A valid signature only proves that someone with access to that key sent the message.  Usually, this means someone with access to your email provider’s servers.  E.g. any individual in your organization or some server administrator at your email server provider, or some malicious software that has hijacked one of your user’s email programs and is using it to send out messages though your email service provider (where they are being DKIM-signed).  This is why DKIM does not provide complete protection from identity theft (forgery), falsely sent messages, and the ability for the sender to deny that s/he sent a message.

6. Setting up DKIM with your email service provider protects all email sent by your domain

If you want to use DKIM for signing your domain’s outbound email to help ensure that it cannot be forged, you must be sure that DKIM is enabled on all systems that send email with addresses in your domain.  Sometimes this is harder that it sounds.  Of course, your email service provider should be able to set this up for you, but don’t forget:

1. Your web site host, if your web site generates email messages from your domain
2. All vendors.  Many vendors can  send you or your customers messages from your domain (e.g. receipts, notifications of blog or forum posts, password reset emails, etc., etc).  Take inventory of all vendors that send email from your domain and enable DKIM on all that you can.

When you configure DKIM in your DNS, you can specify if DKIM is “required” for your domain or “optional.”   Unless you can be sure that your email provider and all vendors are signing your messages, then you have to set this to “optional”.  However, if it is “optional” then you lose protection against spammers sending forged email purporting to be from your domain.  All you have left is the assurance for your recipients that signed messages have not been modified and are likely from you.  Setting up DKIM “half way” does not really provide the forgery protection that you may want.

7. DKIM can be enabled with the click of a button

Enabling or configuring your inbound email filtering to use DKIM signatures as a criteria can, generally, be enabled with the click of a button (e.g. in Premium Email Filtering).

However, setting up your email services to use DKIM usually takes a little more effort.  This process involves:

1. Generating a DKIM key pair
2. Adding 3 new entries to your domain’s DNS
3. Enabling DKIM for your domain with your email provider, so that messages are signed with your new key

LuxSci customers can enable DKIM by filling out one form.  We auto-generate the DKIM keys, auto-enable their use by our servers, and add the new DNS records for you, if you manage your DNS through us (or tell you what to add if you don’t).