Categories
Uncategorized

DKIM Records: How To Create and Add Them To Your DNS

What is a DKIM record?

DKIM is an open standard for email authentication that helps protect email senders and recipients from spam, spoofing, and phishing. It allows an organization to claim the responsibility for the message in a way that is validated by the receiver. It is an email security standard designed that makes sure the messages aren’t altered in transit between the sending and receiving servers.

It gives the emails the signature header that is added to the email and secured with a public/private key pair and a certificate. It can act as a watermark for email so that email receivers can verify that the email came from the domain it says it does and hasn’t been tampered with.

Every DKIM signature consists of all the information that is required for an email server to verify whether the signature is real and is encrypted with a pair of DKIM keys. The originating server contains the private key that can be verified by receiving mail or ISP with the other half of the key pair called the public key. The public key exists in the DKIM record in your domain’s DNS as a text file.  

 A DKIM selector is used to connect and decipher these encrypted signatures. The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How do I create a DKIM record for a domain?

  1. Create a list of all sending devices and domains

Firstly, you need to create a list of all the sending devices and domains (like marketing campaign platforms or invoice generators also referred to as ESPs) that are authorized to send emails on your behalf. 

  1. Generate public and private keys

You have to generate private and public key pairs using a dedicated tool. The private key stays at the server or service that sends the email and the public key is published by using a DNS text record.

  1. Configure the DNS server with the public key

Now you can create a DKIM TXT record by using the domain, selector, and public key. The record will have the name of the authorized domain attached with the selector prefix.

How to add the DKIM record to your DNS?

DKIM record DNS settings

You can add the DKIM record by publishing your public key to your DNS record as a text (TXT) record. You need to check with your DNS provider to see if they allow more than 255 characters in the input field or not. If they don’t allow you, you may have to increase the size or create the TXT record itself. After that, you have to save the private key to your SMTP server or MTA (mail transfer agent).

How can I test if I set up DKIM correctly?

Once you’ve set up DKIM for an email service, you can send a message to an email address you manage and check the DKIM-Signature and Authentication-Results headers to make sure DKIM passed successfully. You can also use DMARC reports to check that the messages sent using your domain are correctly authenticated with DKIM and SPF. 

Relation between DKIM and DMARC

What is DMARC?

DMARC stands for “Domain based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

You might be wondering why DMARC is necessary, when both DKIM and SPF are already being used. It ensures that when an email is received, the information received in both records matches the “friendly ” domain that the user sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies. You can conduct a DMARC test to verify whether the record is published correctly or not and check where your DMARC reports are being sent to.

Conclusion

We hope you find this article insightful. You can also hire a DKIM service provider who can make this process easy for you. Since it is a technical process so hiring a service provider will be a better option.ProDMARC assists you in ensuring DMARC implementation with both the company and third-party vendors. ProDMARC, as a product built on a mission to achieve safe and spoofing-free email networks across the entire internet room, allows DMARC reporting, providing volumes and patterns of outbound mails, including phishing campaigns, and yields proof for outbound mails’ reliability in terms of SPF, DKIM, and DMARC compliance. Get Started with top-class cybersecurity solutions for your business at ProgIST. Get in touch with us for the best cybersecurity solutions.

Categories
Uncategorized

What is the DKIM selector and how does it work?

There are 150,465 live websites using DKIM.

But what is DKIM?

DKIM stands for Domain Keys Identified Mail which is an email authentication technique that helps the receiver to check whether the email was sent and authorized by the owner of that domain. It is done by giving the email a digital signature. It is a header added to the 

DKIM

message and is secured with encryption. The DKIM signatures are not visible to end-users and the validation is done on the server level.

What is a DKIM selector?

The DKIM selector is a string used by the outgoing server to detect the private key to sign the email message and by the receiving server to detect the public key to verify whether the email message is from a trusted source or not. 

Every time a private or public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to detect the private key and the public key.

How does the DKIM selector work?

DKIM Selector

When the signing server chooses the selector, the server makes use of the selector to find the private key only accessible to the server, to decode the signature. Once the signature is decoded, the DKIM selector is inserted in the email headers as an s= tag, then the email is sent.

Let us understand by the following example:

Let’s consider that the selector chosen by the signing server is s1, the tag will look like s=s1. Further, the selector can be any arbitrarily chosen string like itismyselector1122, as long as it is indicating towards a valid private or public key pair.

Here is a practical example of DKIM signature header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcly.com; h=content-transfer-encoding:content-type:from:mime-version:subject: x-feedback-id:to; s=s1; bh=jCC0oQBCKfJ10bCI3PCG52Zwowyeh1haGJPACkWN9F4=; b=GzLBVZ0M1hMt1Y7hVT+ajaNrswTv+/FFVMrcaixD70hpTJwAmNwZUKJIzLslSC+iWHby 9gm+yfx6Z1qnXIL6qgBPnlZD4zwyK4D3Umd1je82jniuD7RJWYDqJH0zL+EevCDdoVZGmT IlxzZB6v95bws6539z/5qee+Xmu5KYe4Y=

Here the DKIM selector used in the DKIM signature is s=s1.

When the email reaches the receiving server, the server automatically looks at the email headers to locate the s= tag. Now if the tag is present then the server will perform the role of extracting the selector from the tag. 

When the public key is found, the server makes use of it to decrypt the message to verify the integrity. If the integrity is verified, the DKIM authentication succeeds otherwise it fails.  

In case no public key is found then the DKIM authentication fails. 

How do I find my DKIM selector?

A DKIM selector is specified when the private or public key pair gets created when it is set up for the email sender, and it can be any random or arbitrary string of text.

The selector is inserted into the DKIM-Signature email header as an s= tag when the email is sent. The easiest way to discover the selector for your domain is by sending an email to yourself. 

When you open the email, view the “original message” of the email. Your focus here is to view the header information, which includes all the DKIM authentication results.

Search the headers for “DKIM-signature” to find if the DKIM signature is applied to the message or not. If there are multiple DKIM-Signature headers, find the one which contains your domain. This DKIM signature contains an attribute “s=” which is the selector used. 

Relationship between DKIM and DMARC

DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance.” It is an email authentication, policy, and reporting protocol that is built around both SPF and DKIM. 

Now you might be wondering when DMARC uses both DKIM and SPF then why it is necessary. It ensures that when an email is received, the information received in both records matches the “friendly form” domain that the user actually sees and the form address that is contained in the message’s header.  A DMARC record is created when you have both SPK and DKIM in place. Sometimes many domains don’t have SPF or DKIM set up, so the best way to go about it is through DMARC implementation tools. DMARC setup is similar to that of SPF as it is a simple one-line entry in the domain’s DNS records. It ties the DKIM and SPF protocols with a consistent set of policies.

Now, why do we need to use SPF, DKIM, and DMARC together?

The combination of these security protocols helps to combat the issue of Spam and Spear Phishing. Many networks are compromised because of these issues so the IT managers are looking for a better solution. Along with the increased rise in ransomware which often is preceded by spear-phishing emails, the enterprises are getting motivated towards protecting their email infrastructure.

Each of the elements- SPF, DKIM, and DMARC solves a somewhat different piece of the email puzzle to prevent phishing emails and spam. This is accomplished through a combination of standard authentication and encryption tools such as public and private key signing, and adding special DNS records to authenticate email coming from your domains.

Also, there has been significant evolution in the internet’s email protocols. Now emails are used by everyone to facilitate everyday communication.  So when the email infrastructure implements all these protocols, it can be ensured that messages cannot be easily forged and you can block them from ever-darkening your users’ inboxes.

Conclusion

DKIM is an email authentication technology that has been around since 2005. It is a method of adding a tamper-proof seal to the emails and ensuring that the emails are protected and safe. DMARC combines the elements of DKIM and SPF and ensures a secured way to deal with spam and spear phishing.  

ProDMARC is a user-friendly DMARC email protection solution that acts as your expert guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS solution that enables organizations to handle complex DMARC deployments with ease. Across all email networks, the solution offers 360-degree visibility and governance. 

Contact us for the best email authentication solutions.

Categories
Uncategorized

What does a DMARC record look like and how do I generate it?

A DNS txt record published in your public DNS is known as a DMARC record. This is a DMARC record, as indicated by the DMARC version tag. The receiver would be able to recognize this as your DMARC record if they query your public DNS.

The policy tag is the DMARC policy you set for DMARC emails that fail SPF and DKIM authentication; in other words, it’s the action you recommend to your email recipients when they receive emails that you haven’t approved as legitimate. Depending on the results of your DMARC report study, you can choose from three different policies.

DMARC Analyzer

The email address to which you want DMARC aggregate reports sent is the DMARC aggregate tag. These reports are usually sent to a DMARC analyzer for further review. They provide information about the origins of your emails as well as the results of your SPF and DKIM authentication on the email receivers’ end. This data is used to classify and authenticate all valid email sending sources.

ProDMARC assists you in quickly generating DMARC records. You can generate a sample DMARC record with ProDMARC. You configure DMARC by applying policies to your domain’s DNS records in the form of TXT records once SPF and DKIM are in place (just like with SPF or DKIM).

DMARC was aimed at:

  • Reducing false negatives
  • Providing authentication reports
  • Apply sender policies at the receiving end
  • Reduce phishing
  • Be scalable

1. Example

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com” 

In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine” setting in the policy, it would look like:

“v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@dmarcdomain.com”

and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to

“v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com”

Here is a sample where the message fails DMARC, then quarantines it 5% of the time.

“v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com”

In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of dmarc@your_domain.com.

“v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com”.

2. Common tags used in DMARC TXT records:

TagName   RequiredPurposeSample
v             requiredProtocol Versionv=DMARC1
prequiredProtocol for Domainp=quarantine
pctoptional% of message subjected to filteringpct=20
ruaoptionalReporting UTIof aggregate reportrua=mailto:postmstr@domain.com
spoptionalPolicy for subdomains of the domainsp=r
ASPFoptionalAlignment mode for SPFaspf=r  

Only the v (version) and p (policy) tags are required. Three possible policy settings are available:

  • none – Take no action. Only log the affected messages in the daily report.
  • quarantine – Mark affected messages as spam.
  • reject – Cancel the message at the SMTP layer.  
DMARC Policy

The study in which sender records are compared to SPF and DKIM signatures is known as DMARC alignment mode. There are two options for values: a relaxed “r” or a rigid “s.” Partial matches, such as subdomains, are allowed with some relaxation, whereas strict matches demand an exact match.

If you use the optional rua tag, make sure to include an email address where the regular updates will be sent.

3. Deploy your DMARC policy slowly

Since the DMARC specification recognizes that scaling out the deployment all at once can be difficult for certain organizations, there are some built-in methods for “throttling” the DMARC processing so that complete deployment can be achieved in stages over time.  

The first step is to keep an eye on your traffic and reports. Assess the vulnerabilities (where messages are sent without being digitally signed or from invalid source IP addresses) and use SPF and DKIM records to address them.

As you become more comfortable with the findings from your regular aggregate reports, you will adjust the action on your policies to start quarantining. You can do this by using DMARC to change your TXT record to use the “quarantine” action. Keep an eye on your daily reports.

After you’ve been tracking your traffic and regular reports for a while and are certain that the sources seen sending traffic on behalf of your domain are all digitally signed, you can proceed to the next phase, which is modifying the policy to use the “reject” tag to completely deploy DMARC. Monitoring your reports and your spam feed is an essential part of maintenance for DMARC compliance.

It’s also worth noting that the pct tag, which is optional, can be used to sample your DMARC implementation in increments. Since 100% is the norm, setting “pct=20” in your DMARC TXT record causes one-fifth of all messages affected by the policy to receive the disposition rather than all of them. When you want to quarantine and reject mail, this setting is particularly useful. Start with a lower percent to begin with, and increase it every few days.

When you are ready to complete the DMARC setup, remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%. As always, monitor your daily reports.

4. Use a user-friendly DMARC analyzing software

ProDMARC is a user-friendly DMARC email protection solution that acts as your expert guide to help you move as quickly as possible to a reject policy. ProDMARC is a SaaS solution that enables organizations to handle complex DMARC deployments with ease. Across all email networks, the solution offers 360-degree visibility and governance. Contact us for the best email authentication solutions.