Recently we covered the topic of protecting our email identity outside of our organization. Yes, this means finding a way to stop messages that are saying they are from us, when they really are not. Here is what we first learned about this topic. As previously discussed the best way to actually learn in a more detailed fashion what is being spoofed to look like your organization it’s important to start with DMARC. Next though, we should take a look at DomainKeys Identified Mail, otherwise known as a DKIM signature. Adding a DKIM signature to each of you outbound email messages is like rubber stamping your signature on a letter. It’s a DKIM record verifier that the recipient can use when check validity of email messages before the message is delivered into a user’s mailbox.
Leveraging a DKIM Record
As discussed, DKIM in its simplest form adds a “signature” to your email message header when your valid email messages leave your organization on its way to its intended recipient. This signature should be enabled within your email gateway product for each of your email sending domains. It is important to not though that this signature doesn’t completely work until you add a TXT record to your externally facing DNS that includes this signature. This record will look similar to what is shown below.
v=DKIM1;k=rsa; t=s; p=ABCiJKLgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2lmftvQ
What these two steps allow for is validation that the email message is yours, if the recipient organization is checking for DKIM signatures on messages. Not to worry, as email is being spoofed more and more, this is become a more common and standard check being done on incoming email messages.
What About Organizations I allow to Send Email on my Behalf?
With the introduction of cloud services we may be obligated to allow these providers to send email on our behalf. If this is the case, these would be considered legitimate email messages. When your organization is ready to allow DMARC to fail spoofed messages these messages would begin to fail to. So how to can you ensure that a 3rd party cloud provider is able to send email on your behalf with DMARC enabled in your environment? Your email administrator will need to work with that cloud-based vendor to have them enable a DKIM signature for the messages they send on your behalf. Additionally they must send you the DKIM signature key, and it must be added to your organizations external DNS as a DNS TXT record. The format used for the DNS TXT record will be the same as our first example above except the domainname should be received from the 3rd party provider. This is will some variation of their actual domain name, but will not be their primary domain name.
v=DKIM1;k=rsa; t=s; p=AKLDIiJKLgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2lmftvQ
Do I already have a DKIM record?
In order to verify if you are already using a DKIM record there are a few different ways to approach this.
- Look at your email message header and verify that there is a DKIM line item with the key name you are expecting for your email sending domain.
- Check your outgoing email gateway to see if there are DKIM signatures enabled
- Check your DNS for DKIM configuration through the following website http://dkimcore.org/tools/dkimrecordcheck.html
As email abuse continues to rise; and security is of utmost organizational importance, understanding DMARC and DKIM are very important. There will be one more post in this series that will help us have a full understanding of all the components required to protect your email identity.