Home / Industry

DKIM for ESPs: The Struggle of Living Up to the Ideal

Alexander Garcia-Tobar
CEO & Co-Founder at ValiMail

"ValiMail has created Distributed DKIM (DDKIM), a patent pending method that solves the traditional difficulties with DKIM key management and distribution."

Learn More ...
Given the increase in email fraud (phishing) and an increasingly complex email landscape, it is increasingly important for email service providers to implement email authentication properly. As pioneers of email authentication, servicing 75% of the ESP marketplace, Port25 believes optimal inbox placement rates are based "on" proper authentication protocol.

Major ISPs (Gmail, Yahoo! Mail, Outlook, etc.) are pushing other senders to authenticate their email and are using a carrot/stick approach: Do it well, and your email gets through with high deliverability rates. Authenticate poorly, and your email will be downgraded with lower deliverability — and increasingly with warnings or a lack of graphics and identifying logos.

Here are two examples from Google and Microsoft showing what non-authenticating emails will look like starting in mid-2016. Note that Google will insert logos for authenticated email and "?" for non-authenticated email. Similarly, Microsoft will redact logos and graphics and add red indicators if an email lacks proper authentication. Authenticate properly, and the email will display a green shield and render all logos and graphics.

The DKIM Ideal

Given this environment, we wanted to write a quick post on one aspect of email authentication that trips up many ESPs: DKIM (short for DomainKeys Identified Mail). DKIM is an open, DNS-based email authentication standard that uses public-key encryption to authenticate email messages. There are several issues that an ESP should consider when implementing DKIM:

No Key Sharing: Each customer should have their own, dedicated DKIM key, and ESPs should avoid any key sharing between customers. When an ESP doesn't share DKIM keys between customers, a compromised DKIM key can only impact a single customer.

Regular Key Rotation: As recommended by the specification, DKIM keys should be changed (or 'rotated') on a regular basis, about 3-4 times/year. Rotation ensures that if a key is compromised for any reason (for example, by a hacker who obtains the private key), then the compromised key will only be useful to the attacker for a short time. Once the old key is rotated out and replaced with a new key, the compromised key is useless.

Store Private Keys Securely & in a Distributed Manner: DKIM private keys are extremely valuable, as they can be used by attackers to impersonate your clients in a virtually undetectable way. Given this, it's critical to use best practices for key management: Don't store private keys in plaintext, avoid maintaining a centralized database of keys, and follow best practices for PKI security.

The ESP DKIM Reality

Widespread Key Sharing: Because DKIM is relatively complex and proper key management is burdensome, it is common for ESPs to use the same key for all their customers. This simplifies configuration: ESPs can provide the same instructions to all of their customers, the same DKIM record gets inserted into every customer's DNS, and the sending infrastructure can use the same key to sign every message it sends.

Little to No Key Rotation: Also, because key rotation typically requires an ESP to manually update one or more DNS records — or even worse, have their customers manually update one or more DNS records — key rotation is extremely rare in practice. DKIM keys are typically set once and never changed, and it's common to see DKIM keys that are 5-10 years old in production use.

Centralized, Plain Text Key Storage: Finally, even if an ESP tries to do DKIM correctly — provide one DKIM key per customer, and rotate DKIM keys on a regular basis — the simplest solution is to store the DKIM keys for all their clients in a central database in plaintext, to simplify key management and distribution to the mail servers. Unfortunately this sort of architecture is a beacon to criminals, and makes it exceedingly easy to steal all of the ESP's customers' keys during a breach.

Given that at least several major ESPs have reportedly been breached over the last couple of years, this approach must be considered highly risky. As with any enterprise system, it's probably safe to assume that all ESPs have been breached at some point in the past 5-10 years.

So What's the Answer?

ESPs should use a DKIM system that supports frequent and automated key rotation, defines unique DKIM keys per client, and stores the DKIM private keys in a secure way.

With this in mind, ValiMail created Distributed DKIM (DDKIM), a patent pending method that solves the traditional difficulties with DKIM key management and distribution while adhering to this ideal. Though more secure and robust, DDKIM at the same time vastly simplifies the process and automates proper DKIM implementation and key management, accelerating the onboarding of new clients and allowing for quick key updates of existing clients.

Whether or not you are interested in DDKIM, feel free to drop us a line at info@valimail.com and we'd be happy to discuss DKIM further. Here's to automated and secure authentication!

Written by Alexander Garcia-Tobar, CEO & Co-Founder at ValiMail, a Port25 partner.

Evaluate PowerMTA (Free Trial) — PowerMTA compliments your technology stack whether it's on premise or in the cloud. Increasingly, cloud based senders and enterprises are integrating PowerMTA with other front end applications for maximum delivery and granular controls. Learn More


About Port25 – Port25, A Message Systems Company, provides highly focused email delivery software that addresses the ever-expanding needs of client communications and digital messaging apps. Port25's flagship product, PowerMTA™, has a global footprint, with over 4,000 installations in more than 51 countries. Learn More

Related topics: Cybersecurity, Email


Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year