What is DKIM for DataMotion SecureMail?
As of November 13, 2019, DataMotion SecureMail and SecureMail Gateway support DKIM so outgoing email messages sent via SMTP are delivered to intended recipients and not rejected or quarantined by anti-spam and anti-spoofing protection measures deployed on recipients’ mail servers. SPF and DMARC are also supported, and defined below.
DKIM, or ‘DomainKeys Identified Mail’ is an internet standard email authentication method designed to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain (@xyz.com) was in fact authorized by the owner of that domain. DKIM involves signing each outgoing email message with a private key linked to the sender’s domain name. The recipient system verifies the digital signature by looking up the associated public key published in DNS. Put simply, the DKIM signer uses the private key and the DKIM verifier uses the corresponding public key. In order for it to work, the sending SMTP servers must insert DKIM-Signature email header fields on outgoing email messages. The owner of the sending domain must also create a DKIMDNS TXT public record.
As stated in the IETF (Internet Engineering Task Force) RFC 6376:
“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”
SPF is an email authentication method which is also supported, to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain was in fact from an IP address authorized by the owner of that domain. The owner of the domain must create an SPF DNS TXT record. The sending SMTP servers do not need to do additional work for SPF.
DMARC is an email authentication protocol (set of rules) to combat email spoofing, also supported by SecureMail. It allows receiving SMTP servers to authenticate based upon instructions published by the owner of a specific domain. The owner of the domain must create a DMARC DNS TXT record which specifies which email authentication methods (DKIM, SPF, or both) are supported for that domain. The sending SMTP servers do not need to do additional work for DMARC.