DKIM is one of the available protections against spoofed emails.
What can happen?
Spoofing can be used to trick people into giving up sensitive information and spreading false information that may damage the reputation of the vulnerable part.
Remediation
Generate key
Decide upon a selector. This can be seen as the name of a specific key. If you’d like to use multiple services to send emails from the same domain (e.g., Zendesk for support and Mailchimp for newsletter), you can generate different keys for each.
Depending on the service you are using, you may need to use their interface to generate the required keys. If that is not the case, you have to manually generate a pair of RSA public/private keys. The easiest way to do this is with ssh-keygen in Linux or PuTTYgen in Windows.
Update record
Now go to your domain manager and create a new DNS record.
As hostname, use [selector]._domainkey. For example, if you chose mailchimp as selector, use mailchimp._domainkey as hostname.
As value/text, enter v=DKIM1; t=s; n=core; p=[your public key]. You should strip any text before and after the key.
The result will look something like this:
v=DKIM1;t=s;n=core;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKDwueyFM93IPbsKiOFNTJDGwyefxOwGkjXBsTSnPkg6SPJSgEkZWSuS+EB4gRS+mn9EHcsGPNSd+YaqF+J5X8OiSgw5AMbj6xrrnpn/FGtRwAYp77IJtUqiHhPlehsybRw02fx4d2S41tJQfwEISlgl5ic+PnVwLtNO/4QbLj4QIDAQAB
Sign each email
The procedure varies greatly depending on the service you are using to send emails. There are many such services out there, so the best course of action is to follow your service’s instructions on how to sign emails.
Resources
- DKIM Core - specification
- Detectify blog: Misconfigured email servers open the door to spoofed emails from top domains