Protecting Your Brand From Phishing: How to Create a DKIM Record
A DKIM record provides a way for senders to be proactive against phishing attacks. This document demonstrates how can create a record in DNS that will enable your domain to fight back against this form of email fraud. By examining your delivery status reports and looking at the headers of spam emails, you can see if they are attempting to use your mail server as part of their sending infrastructure. If they are, then this record will prevent them from continuing to use your domain for sending fraud messages. This approach will work with any domain that supports DKIM or DMARC records." "Protecting Your Brand From Phishing and senders and receivers of email can use DMARC to automate DKIM authentication and establish trust between communicating domains. This creates an explicit record of the correspondence that can be verified by all parties, deterring offsite spamming efforts. The Domain-Based Message Authentication, Reporting & Conformance (DMARC) Policy is a standards based mechanism for authenticating, reporting
on and conforming to the DKIM requirement for senders and receivers of email. Senders and receivers can agree on the DMARC policy before they begin
sending email so that they know what types of messages are in conflict with each other and take action accordingly. Senders and receivers can now be more proactive when fighting spam and phishing attacks. By creating a record of who is authorized to use their email address, how they are authorized, and what protocol they should follow in the event that communication is blocked or lost. DMARC provides this important information in a format that can be validated by all mail systems across the Internet. Phishing is a crime in which an email appears to be from a trusted source (e.g., a friend, family member, or company) in order to gain access to sensitive information such as usernames, passwords, etc. It has been estimated that up to 75% of all emails sent are phishing attacks. Phishing can take many forms including spear phishing (targeting specific individuals) and masquerading as well-known brands in order to trick the recipient into clicking on malicious links or attachments. Because sites that are subject to attacks from spam and phishing emails do not always know that there DKIM is a solution that email senders can use to prove they are who they say they are without revealing their email address.
When an email recipient’s mail server receives the DKIM-signed email, it can compare the signature against a database of known senders and determine whether or not to allow the message into the recipient's inbox to create your own DKIM record, you’ll need to get your domain name signed with both SPF and DKIM and the In essence, DKIM allows an email sender to sign an email using their private key, but without revealing their public key.
First, let’s create our record with SPF:Now let’s create the DKIM record and publish it with SPF and MX:What this all means is that your email is now being authenticated with both SPF and DKIM, and because of this it can pass through some of the anti-phishing measures that might otherwise block your emails (such as brute forcing a password to login to an SMTP server). Once you have created this record, all you need to.. The steps to utilising DKIM are: Inventory all of the sending domains for your organisation. This can be a challenging task as many organisations have multiple vendors that they use to host email. I recommend using Reputation Monitor or Sender Score to verify that you haven’t missed any domains within these lists.
This is a simple process that only takes about 5 minutes in total once per month. If you are using Reputation Monitor it is an easy process of checking a box. Many times, this finding is enough to save the company from being blacklisted by millions of recipients and cut off from a large segment of their customer base emailing them When deploying email across your organisation, it’s important to keep track of which domains are sending email. Sender Score gives you a way to inventory all of the senders in your organisation and their reputation. We also have tools like Reputation Monitor to help verify that you haven’t missed any domains. Install and configure DKIM on your email server: Installing and configuring DKIM is straight forward. I recommend reading the documentation that comes with the webinar. Because all outgoing email will require to be signed, you will need to install a signing certificate package specifically for your email server. To verify your platform has available DKIM software, you can check here, or check with your vendor. If you’re using an email service provider, you will need to work with them on setting up your DKIM record. The process overall takes about 30 minutes to complete. After setup, it should only take a few hours for everything to propagate through your recipient base and take and As a final step before we begin, you need to install the package on your email server. You can do this by following the directions for your particular platform: On some platforms, such as Microsoft Exchange Server and others, there are preconfigured DKIM (DomainKeys Identified Mail) packages available. To use one of these packages, you do not need to install any additional software on your mail server. However, if you are using an email service provider or wish to use their DKIM signing capabilities, follow the instructions below. The DKIM process uses a digital signature to ensure that outgoing email is actually sent by the person or program claiming to have sent it. This adds an extra layer of security by verifying that the message did not change in transit. It also ensures that emails get through spam filters, and into valid mailboxes. Create a public and private key pair: The selector is a unique name which we’ll use as the “name” in our DKIM records. It must be comprised of letters, numbers, hyphens and underscores. If you need help with this, leave me a
comment or contact me privately! Next, enter the mailbox server IP address that will be used for outgoing mail and wrap it in square brackets. We are authenticating the From information in these emails so make sure it doesn’t overlap something you already have configured like your sender address. For example if I have an address family configured as “@gmail.com”, The selector name is just a human-readable name for this particular rule. It’s not case sensitive and it’s not required. Finally, press enter to create the key and store it in /etc/ DKIM There are two ways to create your own DKIM records. You can either generate them in the DNS system, or you can generate them with your email server software and include them in your outgoing email messages. I’m going to show how to do this with Port 25’s smtp control plugin for send mail, since it’s so easy that anyone can use it. First we need to create a public and private key pair. The public part of this key will be used as the selector, and the private part will be used as the signature.