Skip to main content
All CollectionsExternal Monitoring (Beta)Email Security
Is DKIM protecting the domain's emails from tampering?
Is DKIM protecting the domain's emails from tampering?

We monitor your DKIM (DomainKeys Identified Mail) configuration to verify your emails are digitally signed and protected against tampering.

Dan McKenzie avatar
Written by Dan McKenzie
Updated this week

What is DKIM?

DKIM works like a digital signature for your emails. When your organization sends an email, DKIM adds a unique fingerprint that proves it came from your domain and hasn't been tampered with during delivery.

Why It Matters

Without DKIM protection, your email communication faces several risks:

  • Anyone could modify your email content during delivery

  • Receiving systems can't verify if emails really came from you

  • Your legitimate emails are more likely to be marked as spam

  • Your domain's sending reputation could be damaged

Security Checks

We monitor these aspects of your DKIM configuration:

Is a DKIM record present in the domain's DNS?

DomainKeys Identified Mail (DKIM) allows email servers to verify that messages haven't been tampered with during transit. Without a DKIM record, the domain's emails cannot be cryptographically verified, making them vulnerable to spoofing and modification.

Does the DKIM record specify a key type?

The DKIM record lacks a cryptographic algorithm specification (such as 'rsa' or 'ed25519'). This may cause email servers to use incorrect algorithms or fail to validate messages entirely.

Is the DKIM using a current hash algorithm?

The domain uses an outdated hash algorithm (like SHA-1) instead of the more secure SHA-256. This weakens the cryptographic protection and makes the signatures more vulnerable to attack.

Is a hash algorithm specified in the DKIM record?

The DKIM record doesn't indicate which hash algorithm to use for signatures. This can lead to validation failures or the use of less secure algorithms when verifying messages.

Does the DKIM record include a public key?

The DKIM record lacks the required public key data. Without this, receiving email servers cannot verify the authenticity of messages sent from the domain.

Is the DKIM using recommended key types?

The domain uses key types other than the standard RSA or ED25519. This may cause compatibility problems with email servers and potentially use less secure encryption methods.

Is a body length limit specified in the DKIM record?

The DKIM record doesn't define the maximum length of message content that should be signed. This could allow attackers to modify messages by adding content beyond the signed portion.

Industry Standards

DKIM is recommended by:

  • ISO 27001 (Email Security Controls)

  • NIST SP 800-177 (Email Security Guidelines)

  • UK NCSC Email Security Guidelines

  • M365 Security Standards

  • Google Workspace Security Requirements

Learn More

Related Articles
Is DMARC enforcing the domain's email security policies?
Is TLS configured securely on the domain?
External Monitoring Beta: Frequently Asked Questions
Did this answer your question?