DKIM

You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain's outgoing mail headers, and adding a public version of the key to the domain's DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn't been changed along the way.

Google Apps' digital signature conforms to the DomainKeys Identified Mail (DKIM) standard.

Email authentication[edit | edit source]

• If a message was correctly DKIM signed, a 'signed-by' header with the sending domain will appear.
• If a message was SPF authenticated, a 'mailed-by' header with the domain name will appear.
• If no authentication information exists, there will be no signed-by or mailed-by headers.

If you're a sending domain[edit | edit source]

Messages with DKIM signatures use a key to sign messages. Messages signed with short keys can be easily spoofed (see http://www.kb.cert.org/vuls/id/268267), so a message signed with a short key is no longer an indication that the message is properly authenticated. To best protect our users, Gmail will begin treating emails signed with less than 1024-bit keys as unsigned, starting in January 2013. We highly recommend that all senders using short keys switch to RSA keys that are at least 1024-bits long.^[1]

Tools[edit | edit source]

Dave Johnson (twitter://@protodave) lets you check your key length Your DKIM key should be at least 1024 bits.

Reference[edit | edit source]

http://www.dkim.org