Authenticating email with DKIM – DomainKeys Identified Mail

Spammers can forge the ‘From’ address on mail messages so that the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google Apps enables you to add a digital “signature” to the header of mail messages sent from your domain.

Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way. (If your domain has an SPF record, recipients can also verify that the message came from an authorized mail server – see our previous post about SPF records).

Google Apps’ digital signature conforms to the DomainKeys Identified Mail (DKIM) standard. Setting up DKIM in Google Apps involves three steps:

  1. Generate the domain key for your domain
  2. Add the public domain key to the DNS records for your domain
  3. Turn on authentication

From WikiPedia – “DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is set up by means of a digital signature which can be validated by recipients. Responsibility is claimed by a signer —independently of the message’s actual authors or recipients— by adding a DKIM-Signature: field to the message’s header. The verifier recovers the signer’s public key using the DNS, and then verifies that the signature matches the actual message’s content.

The following screenshot shows how to spot if an email sent from our domain is signed by DKIM.

example of DKIM-signed email

click image for larger version

NB. Emails will only be signed-by if sent directly by one of our users. Emails sent from our domain via other services, for example, MailChimp ([email protected]), ZenDesk ([email protected]), etc, will be sent by (and if applicable, signed by) the sending service.

If you need help setting up DKIM within your Google Apps domain contact us.

Posted in Gmail, Google Apps, Security  |  Leave a comment

Leave a reply