DKIM for Email Security
Another DNS record you can add to improve email security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Google Security | AWS Security | DNS Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I explained how to configure an SPF record to help improve email security.
Next up I’m going to show you how to add DKIM for email security when using AWS Route 53 for domain hosting.
Figure out how long your DKIM record can be
The first thing we need to understand with DKIM is the length of the record you want to add. Your email may provider may generate a DKIM record longer than the system where you need to enter the TXT record.
In my case, Google supports both 1024 and 2048 character DKIM records. If we head over to AWS and check the specifications for the DNS records AWS supports, we see that a text record can be up to 4,000 characters.
Generate your DKIM record at your email provider
The next step is to generate the DKIM record at your email provider.
These are the steps currently for Google Workspace and they seem pretty straight forward. I’m not going to provide screen shots for all of this and it’s also behind a login so I can’t link to it. Ask your email provider how to get a DKIM record if you are not using Google Workspace.
- Sign in to the Google Admin console.
- Go to Apps > Google Workspace > Gmail.
- Click Authenticate email.
- Select the domain for which you want to generate a DKIM record.
5. Click Generate New Record button.
6. Choose 2048.
7. Click Generate.
8. Copy the name and value for the TXT record.
9. Head over to your domain in AWS.
Now this is interesting. I get an error that says the value is too long. So although AWS says it supports up to 4000 characters it apparently does not. Bug?
Let’s try a shorter length. head back over to Google, delete the DKIM record and try 1024 instead.
Copy and paste the shorter length and it works.
10. Click Start Authentication.
If you get an error such as the one shown below, wait until the domain records propagate from AWS to Google and then try again. In other words, just check back later as the message says. In my case, it didn’t take 48 hours it took a few minutes.
If you still can’t start authentication, double check that you entered the record correctly in your DNS records. I inadvertently selected the wrong domain and regenerated a key I didn’t mean to regenerate. I wish Google would just add this functionality to the domain list and I think that wouldn’t have happened. The little drop down box is not incredibly user friendly.
Alright now that you have enabled DKIM authentication we’ll take a look at another record you can add in the next post — DMARC.
Next I add DMARC for even more email security:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab