DKIM, short for DomainKeys Identified Mail, is a method for authenticating emails. This procedure enables the recipient to check whether an email actually originates from the sender specified in the message and has not been changed during transport. The DKIM entry is checked by the recipient using cryptographic authentication.
When a message is sent, the sending mail server automatically adds a DKIM signature to the message header of the email using the private key, which contains a hash value of the message content and the header information (FROM, date, subject, Reply-To, sender, recipient, etc.). It is important that fields remain unchanged during transmission, otherwise DKIM authentication will fail. If the receiving mail server supports DKIM and scans incoming messages for it, it will react as follows:
How a mail server reacts when it detects an invalid signature depends on the configuration of the receiving mail server or the DMARC entry of the sending domain.
DKIM can only be used with EuropeanMX if you use the outgoing filter for your domain!
In addition to the content of your message, we will also sign the following header information:
Using DKIM for your outgoing messages offers several advantages, e. g.:
If a spammer attempts to misuse your domain or e-mail address to send his or her messages, DKIM reduces the chance that the message will actually reach the recipient. Incoming messages are checked by most mail services (such as Yahoo!, GMail, Web.de) for a valid DKIM signature.
DKIM and SPF work together to ensure the security of emails by preventing the interception and falsification of messages. Both are components of DMARC (Domain-based Message Authentication, Reporting, and Conformance), but fulfill different functions. DKIM ensures that the data in an email has not been manipulated by third parties. SPF, on the other hand, prevents email spoofing by checking the sender domain.
An SPF entry is configured by a TXT entry in the DNS of the domain, similar to DKIM. This entry lists all email servers that are authorized to send emails on behalf of the domain. If an attacker attempts to use spoofed email headers, the SPF record allows the recipient's email server to detect and block such fraudulent messages before they reach the inbox.
While SPF ensures that spoofed emails are not delivered, it cannot prevent an attacker from spoofing a message. Without DKIM, an attacker could intercept an email and change the content before it reaches the recipient. DKIM complements SPF by confirming the authenticity of the sender and ensuring that the message remains unchanged during transmission.
Together, DKIM and SPF increase the security of the email system. As emails are the main means of communication on the Internet, they have long been an easy target for attackers looking to steal identities and access data. With DKIM and SPF, effective security strategies are now available that are part of the DMARC guidelines.
DMARC also defines how to deal with messages that do not pass validation. Large organizations can configure DMARC policies to keep suspicious messages in quarantine until an administrator has reviewed them. Legitimate messages that are mistakenly quarantined can then be released to ensure that important communications are not lost or deleted. After sufficient testing of the security rules, DMARC can be set to automatically delete or reject messages that fail the DKIM or SPF check.
DKIM, SPF and DMARC are often mistakenly considered interchangeable, although they are different, complementary methods for improving email security. DMARC acts as a set of rules that defines how to deal with emails that do not pass DKIM and SPF checks.
DMARC offers three options for action in the event of a failed DKIM check: quarantine, rejection and no action. The DMARC process decides which of these options is applied based on the settings of the email administrator who configures the DMARC policies.
The "No Action" option means that the message will be delivered to the inbox despite the validation error. This setting is often used by security administrators who need to check suspicious messages.
Many administrators prefer the quarantine option for emails that do not pass validation. Such messages are collected in a secure area that normal users cannot access and can be reviewed later by the administrator. This check helps to determine whether the company is the target of phishing attacks or whether the SPF and DKIM settings are incorrectly configured. If the email system uses artificial intelligence (AI), the administrator can use the manual check to further train and improve the AI.
If DMARC is set to reject, emails that do not pass DKIM validation are rejected by the server and not delivered. This is common practice on public email services like Gmail, where millions of emails that fail SPF and DKIM checks are rejected to protect users from phishing, hacking and other identity theft attempts.
For instructions on how to log into the admin panel of EuropeanMX, please see our FAQ article "How can I log in to the Admin-Panel (web interface of the filter)?".
In order for the public key to be retrieved by the receiving mail server, it must be propagated in the DNS settings of your domain. The TXT record should then look like this:
test._domainkey.example.com IN TXT v=DKIM1; g=*; k=rsa; p=[public key in one line];
The entry must be made as a TXT record. Use instead of "test" the selector you have defined in Step2.
Now that the key can be retrieved from receiving mail servers, the outgoing user must be connected to the DKIM selector in the webinterface.
Once the user has been linked to the DKIM selector, the DKIM signature is added to the header of each outgoing message that has been authenticated with this user (assuming you do not use a separate DKIM certificate). The receiving mail server can decode the signature using the public key and confirm authenticity.
Deutsch
Arabic
Armenian
Bosnian
Bulgarian
Croatian
Czech
Danish
Dutch
Estonian
Finnish
French
Georgian
Greek
Icelandic
Italian
Latvian
Lithuanian
Luxembourgish
Macedonian
Norwegian
Polish
Portuguese
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Turkish
Ukrainian