Skip to content

User's guide to DKIM

DKIM stands for DomainKeys Identified Mail. DKIM can be thought of as a sort of digital signature on all of your mail. When you send out mail with DKIM enabled, it has your unique signature attached to it and the recipient's server can be certain of it's authenticity.

Consequently, if someone else sends mail under your name when you have DKIM enabled, the recipient (or their spam filter) will see that the mail doesn't have your signature and therefore is not authentic mail. This can occasionally have adverse affects when forwarding emails repeatedly, which can cause the recipients to receive email from a potential unsafe sender who does not carry your same DKIM signature, causing it to be incorrectly marked inauthentic, however, this is very rare.

You may find more in depth information on the DKIM standard on their site

Explaining DKIM with Alice, Bob, and Mallory

Let's use an analogy involving Alice, Bob, and Mallory to understand how DKIM works:

  1. Alice owns a company called ExampleCorp and sends legitimate emails to her clients using her domain (example.com).

  2. Bob is one of Alice's clients. Bob regularly receives emails from Alice's domain and wants to ensure that these emails are truly from ExampleCorp and have not been tampered with.

  3. Mallory is a malicious actor who wants to trick Bob into believing that an email she sends is from ExampleCorp. Mallory attempts to send an email to Bob, pretending to be from ExampleCorp's domain (example.com).

Here's how DKIM helps prevent Mallory's spoofing attempt:

  • Alice generates a pair of cryptographic keys: a private key and a public key. The private key is kept secret and used to sign outgoing emails. The public key is published in the DNS records of her domain (example.com).

  • Alice's mail server uses the private key to add a digital signature to the header of each outgoing email. This signature is unique to each email and is based on the content of the email and the private key.

  • Bob's email server receives an email claiming to be from example.com. Before delivering the email to Bob, Bob's email server checks the DKIM signature in the email header.

  • Bob's email server queries the DNS for example.com to retrieve the public key and uses it to verify the DKIM signature:

  • If the signature is valid, it means that the email was indeed sent by Alice and has not been altered in transit. Bob's email server then delivers the email to Bob's inbox.
  • If the signature is invalid or missing, it means that the email might be spoofed or tampered with. Depending on the policy, Bob's email server can reject the email, mark it as suspicious, or deliver it with a warning.

In this analogy: - Alice represents the legitimate domain owner who wants to ensure her emails are trusted by recipients. - Bob represents the recipient who wants to verify that the emails are genuinely from ExampleCorp and have not been altered. - Mallory represents the malicious actor trying to spoof Alice's domain.

By using DKIM, Alice ensures that her emails are signed with a unique signature that can be verified by Bob, making it harder for Mallory to successfully spoof her emails and trick Bob.

Enabling or disabling DKIM

  1. Navigate to the Fused client area
  2. Select services.
  3. Select the green active next to the relevant account
  4. Select Login to cPanel on the left.
  5. Use the search function to search for dkim
  6. From here, you can enable or disable dkim as needed.