DKIM (DomainKeys Identified Mail) :
DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that is being sent. It is an email security standard designed to make sure messages are not altered in transit between the sending and recipient servers.
It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message has not changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.
DKIM Best Practices :
Key Length :
Use a minimum of a 1024-bit key length to increase key complexity. This is because shorter keys, such as 512-bit, have a higher vulnerability and can be cracked within 72 hours using inexpensive cloud services.
Rotation :
Keys should be rotated at least twice per year to reduce the period of time the key could be maliciously used to compromise the integrity of email.
Monitoring :
To be able to monitor how receivers are accepting email signed with DKIM, it is recommended to implement DMARC with a “p=none” policy (also referred to as “monitoring mode”). Use DNS to monitor how frequently keys are queried. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIMmechanisms.
HashingStandards :
Deprecate the use of SHA1 for hashing and move toSHA256 as per RFC 6376, Section 3.3.
Third Party Mailers :
Organizations should be engaged with anyone that sends mail on their behalf to ensure that their third-party vendor (i.e., their email service provider) complies with these best practices
Points to keep in mind while creating DKIM Key :
- Make sure that the sending systems you use support DKIM.
- Make sure that the emails are DKIM signed.
- Make sure that the signing domain aligns with the “From” domain.
- Make sure that you use a DKIM key size over 1024 bits (a 2048-bit key is advisable).
- Make sure, where possible, that the DKIM selectors you choose closely identify the sending service so you can distinguish between them
- Make sure to revoke any keys that have bee compromised.
- Make sure that the DKIM keys you manage are rotated on regular basis.
- Make sure that the DKIM key syntax is correct.
- Make sure that there exists a public key for each corresponding private key that signs your email