As email continues to evolve as a major method of communication, spammers and phishers have also become more savvy in order to exploit it. In light of the recent widespread and sophisticated Google Doc phishing attack, we at SharpSpring thought it prudent to update our email authentication documentation and go into a little more detail on how each type of authentication and how they work so you can have a better understanding of how to protect your email streams.
What is DKIM?
DomainKeys Identified Mail (DKIM) at its core allows mailboxes and recipients to verify that a received message is truly from the domain identified as the sender and has not been altered during its transmission. The verification is done through cryptographic authentication to ensure that receiving inboxes can ensure that no spoofing has taken place. We will go more into the nitty gritty of how the verification works below.
The most common example of how domains can be spoofed is the infamous PayPal phishing scam. A phisher creates an email sending from a “...@paypal.com” address that mirrors the normal look of a paypal email. Normally, there is some type of fake “alert” saying that your account has been compromised and that you need to sign into your PayPal account and provide some personal info. A link is included at the bottom that pushes the recipient to a fake “PayPal” site where the phisher can collect any data that is shared on the site.
DKIM was set up to indicate to the receiving email box that these fake “PayPal” addresses are not actually from Paypal. From there, the inbox can quarantine the email to spam or bounce it away to protect the recipient from a potential phishing attack. In essence, DKIM is essential for you to protect your domain from people who may be trying to use your domain for nefarious purposes.
How does the Authentication Work?
When setting up DKIM in SharpSpring, two cryptographic keys are created. You, the sender, add the public key to your DNS records, along with your SPF records, etc. When you create an email, the entire email is hashed and then signed using your into a unique text string using a private key available only to your domain. Then the email is transmitted to its intended destination.
During the email’s journey to its final destination, it may be picked up by various sources. Perhaps the recipient uses a webmail service that pushes the email to their desktop email app or a recipient receives the email and then forwards it to a colleague. Regardless of where it stops during its transmission path, any email box may query the domain’s DNS to gather their public key. The public key you add to your DNS is only a match to your private key, so the recipient’s email can decrypt the DKIM signature back to its original hash string. Finally, the email provider recreates the hash and sees if it matches with the decrypted signature from the public key. If they two match then email passes DKIM verification.
This confirms to the provider that the domain in the email is truly owned from the sender and that the message has not been changed in transit. Let’s illustrate the second point in an example. A phisher receives an email from paypal and attempts to forward it to a recipient after changing the PayPal link to their fake PayPal website that will attempt to harvest the recipient’s information. Since the message, including the link is signed by DKIM, when the recipient’s email provider creates their own hash using PayPal’s public key, the hashes won’t match as there has been a change in the email. Conversely, if a recipient receives an email from PayPal and forwards it to a friend without changing anything in the email, DKIM will still pass as the hashes will match.
DKIM in itself is not a surefire way to stop spoofing and completely authenticate an email, but it goes a long way in both ensuring your domain and brand are protected from unauthorized use, as well as bettering your deliverability as email providers can see you’re taking steps to secure your email stream. Adoption of DKIM has historically been slow as it is difficult to integrate, but SharpSpring’s DKIM tool makes it easy to generate keys. All you need to do is add records generated into the app into your DNS records and your domain can be secured for use.