Protecting Your Brand From Phishing: How to Create a DKIM Record

Because sites that are subject to attacks from spam and phishing emails do not always know that there is a problem, they often rely on their subscribers to tell them that something is wrong. Now, by implementing DMARC, senders and receivers can be more proactive when fighting spammers. In order to benefit from DMARC, you'll need to be signing your emails with both SPF and DKIM. Yesterday, I dicussed how to create an SPF record, and today I'll talk about creating and publishing a DKIM record.

DKIM, or DomainKeys Identified Mail, is a cryptographic approach to authenticating email. It was developed in part to solve some of the issues that SPF can't solve, such as forwarded email.

The steps to utilising DKIM are:

  1. Inventorise all of your sending domains. Tracking all of the domains that you are mailing from is an often overlooked step. Many organisations use different vendors for deploying email, like marketing messages, customer service messages and corporate email. I highly recommend using Reputation Monitor or Sender Score to verify you haven't missed any domains. If you're using Sender Score, enter your domain and then look at the bottom of the page where it says "Related Sending Domains" for further insights into domains that are sending email using your domain or brand, but you are not aware of. It's also wise to check with those that are in charge of customer service, client services, your internal IT email admin and of course your email service provider to verify that they are signing your emails with DKIM.
     
  2. Install and configure DKIM on your email server. Because all outgoing email will require to be signed, you will need to install a DKIM package specifically for your email server. To verify your platform has available DKIM software, you can check DKIM.org's site here, or check with your vendor. If you're using an email service provider, you will need to work with them on setting up your DKIM record. If you need help with installation, you can contact Return Path.
     
  3. Create a public and private key pair. There are a lot of DKIM wizards, but I will use Port 25's as an example in the post as it's so simple that anyone can use it. But if wizards aren't your thing, you can generate your own using openssl too. Now, enter the From: domain that you are authenticating (not the return-path domain that we used for SPF in my last post). Enter the selector name. I recommend this be descriptive to the type of email you are sending, like marketing, or newsletter. Also, ensure your key is 1024-bit or higher (Port 25 doesn't have an option for anything lower, but if you are using your own tools, 1024 is required). A selector naming convention is a recommendation, however, as one can use any selector name and often many admins will just use "selector." If you have questions on the best way to set this up for segmentation and policy purposes, you can contact Return Path for further advice.
     
  4. Publish your public key. The DKIM wizard should now have given you a selector record. This record includes the DKIM subdomain that will store the public key which is a combination of the domain and selector name. For example, domain.com with a selector of marketing will have the public key stored in marketing._domainkey.domain.com. You will store your public key in the TXT portion of that domain. Most people will need to work with their system administrtor to publish this, or if you're using a hosted solution, most will allow you to set this up in their interface.
     
  5. Store your private key. Your private key will also be generated by the wizard and will need to be stored according to where your DKIM package specifies. 
     
  6. Configure your email server. You will need to do further configuration of your system which will require you to refer to the installation instructions for your particular server or you will need to consult with your vendor.
     
  7. Test! If you've successfully configured everything on your system, now all you need to do is test. Send an email from your email server to checkmyauth@auth.returnpath.net. You will receive an email back letting you know if DKIM passed or failed, including a warning if your key isn't strong enough.

Implementing DKIM  requires a high degree of planning and resources in most cases. We at Return Path can help you with the implementation, policy planning and enforcement and testing of DKIM. Contact us to find out how we can help.