DKIM stands for Domain Keys Identified Mail and is another tool in your email-security toolbelt to help with ensuring that your email addresses are not fraudulently used by attackers.
DKIM is a complex topic that, fortunately for us, can be implemented relatively easily. When implemented, DKIM can ensure that all mail received from a domain was not modified in transit - to include the most commonly spoofed email headers.
When an email is sent using a DKIM-enabled mail server, a fingerprint (called a cryptographic hash) of the headers and body are taken and placed in the header of the email. When the email is received on the other end, a check can be performed to ensure that the fingerprint is the same, indicating that the message was received exactly as it was sent.
(See our article on DMARC to learn how to enforce DKIM better)
To enable DKIM, you need to generate encryption keys and place those keys in your DNS. Your mail service provider will have very specific instructions on how to do that. It's important to note that you will need to set up DKIM for every provider that sends email on your behalf. Examples include SalesForce, Zoho, MailChimp, etc. Each of these providers has specific instructions on how to generate these keys in their systems, and how you can add them to your own DNS.
As a final note: Any time you're configuring SPF, DKIM, and DMARC records, you should perform these tasks in outside of peak business hours and test email sending and receipt capabilities. While these techniques are simple to configure, they can have unintended consequences (e.g. denying legitimate email) if you make mistakes.
As always, Coalition is here to help you on your way. Please reach out to us for additional information!
Resources: