DomainKeys Identified Mail (DKIM) – Phishing protection

DKIM is a standard for answering the old security question ‘is this email really from the author?’. As the DKIM related standard Author Domain Signing Practices (ADSP) just got approved it is timely tell you about it.

DKIM, like PGP and S/MIME signatures, answers this question DKIM using a digital signature of the email content. DKIM differs by making it more conducive to sign and verify the validity of the email at the email gateway and, just as importantly, signs email headers.

This is a fairly effective way of making it possible for the receiving email server to validate whether an email was sent through an email server under the control of the author’s domain. The author domain can through ADSP DNS records advice the receiving server that it signs all email and encourages that the receiver to discard email that is unsigned or has a broken DKIM signature.

As DKIM ADSP validation is based off the From: email which is effective in protecting users from phishing and social engineering attacks with a correct From: address. DKIM is not effective in preventing spam as any spammer can DKIM sign emails with their own domain.

To reap the benefits of DKIM you will need to deploy a DKIM signing and verifying product or service on your email gateways and follow the deployment guide.

CAcert has been signing personal emails and some email list emails for over a year and is moving to sign all automated emails before deploying a ADSP DNS record. DKIM Email validation as been occurring for also over a year without any problems.

Leave a Reply