DKIM (Domain Keys Identified Mail)

What is DKIM (Domain Key identified mail)?

Advanced security feature which is used along with SPF to prevent spoofing and phishing attack on the domains. When DKIM is enabled for your domain, all emails sent out from the server will be digitally signed using cryptographic authentication. The receiving server can use this digital signature to determine if the email is legitimate.

DKIM uses a private key to encrypt the header of all outgoing mail. The receiving server will look for the DKIM public key (published in the DNS) of the sending domain to decode the signature. If the mail is coming from an unauthorized server, the signature can’t be decoded there by preventing any spoofing attempt.

How DMARC works?

When sender tenant has DKIM enabled. All emails sent out will have DKIM encryption key or public key embedded in it. This encrypts the email and during the transition if anything happens then the DKIM Public key gets edited.

When email is received at the recipient end, recipient server sends a validation request to the sender domain to verify the public Key against the private key stored in the sender domain record.

If Private key able to decode it then it is going to be considered as a legit email. If not, then email is considered as a SPAM email.

Why DKIM came in picture after SPF?

As there is some drawback with SPF (sender policy framework) in forwarding email cases. Email treated as SPAM due to the Connecting IP change and it gets failed.

SPF and DKIM both work together to make email more secure by looking into each attribute and values. If SPF fails DKIM check and validate the Public Key against the Private key. When it is found DKIM validation is successfully passed then it treats email as legit.

This way email gets delivered in to email.

How to create and publish DKIM?

Publish two CNAME records O365 custom domain in DNS. 

Office 365 automatically performs the key rotation using these two records

For custom domains in addition to the initial domain in Office 365, we require to publish two CNAME records for each additional domain.

Host name: selector1. _domainkey

Points to address or value: **selector1-DOMAIN-com**

TTL: 3600

Host name: selector2. _domainkey

Points to address or value: **selector2-domain-com**.

TTL: 3600

To enable DKIM signing for your custom domain through the Office 365 admin center

Sign into Office 365 with your work or school account.

Select the app launcher icon in the upper-left and choose Admin.

In the lower-left navigation, expand Admin and choose Exchange.

Go to Protection > dkim

Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each custom domain.

Leave a Comment