Introducing DKIM key management, a new feature to protect against domain name impersonation

It is now harder for hackers and spammers to impersonate ProtonMail users that have custom domain email addresses. We have introduced the DKIM key management in beta, which allows you to manually rotate your DKIM keys. This is part of our continuing effort to make it more difficult for attackers to impersonate our users’ custom domains.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is a form of email authentication that allows recipients to detect forged sender addresses, known as spoofed emails. It uses public key cryptography to verify that an email was sent from an authorized mail server and was not tampered with.

DKIM adds a digital signature, which is linked to a domain name, to the header of each outgoing email message. This signature is created with a private key that is specific to the sender’s custom domain. Each private key has a corresponding public key that is in their domain registrar’s DNS.

The server of the recipient of your message then looks up your public key in the domain registrar’s DNS. It uses that key to verify the digital signature in the header. It compares the result to a freshly computed version. If they match, then the recipient knows that the message came from and was not modified after the signature was added. If they do not match, the server will indicate to the recipient to treat the message with caution.

If that explanation didn’t make total sense, here’s a simple way to think about it. DKIM is a bit like signing a letter and putting it in an envelope. If the envelope is still sealed, the recipient knows that the letter has not been touched since you sent it. Your signature, which many people can recognize but only you can recreate, verifies to the recipient that the letter came from you. (This overly simplifies the concept, but you get the idea.)

We previously supported DKIM, but with the new key management feature, you can create new keys and the system will retire your old keys automatically. This lets you rotate your keys on a regular basis, which is important for maintaining your domain’s security.

Secure your custom domain, protect your reputation

Individuals and businesses rely on ProtonMail custom domains to build their brand. The trust customers and other individuals have in your brand can be destroyed if your email address is spoofed and used to deliver a phishing attack or fraudulent scams. You can assure your contacts that you take their data protection seriously by using ProtonMail and DKIM. By regularly rotating your DKIM keys, you can ensure that no outside attacker can impersonate your email address and harm your reputation.

DKIM requires the public key to be published on your domain registrar’s DNS, which means these keys can be targeted by attackers. Hackers can access your public key and try to crack its RSA encryption. If they can crack it, then they can spoof your key and impersonate your custom domain. 

Currently, 1024-bit RSA keys are on the edge of what can be cracked (given very specialized equipment and plenty of time) while 2048-bit RSA keys are considered immune to cracking. This is why we recommend you use 2048-bit keys. Still, to be safe, security experts suggest you get a new DKIM public key every six months to prevent your address from being spoofed, or anytime you fear your key may have been compromised. 

How to manually replace your DKIM keys

When you first set up your custom domain, ProtonMail automatically generates a DKIM key pair for you and notifies you via email your keys are ready. Your public key will be part of a TXT record that you can find in your ProtonMail account.

You need to share your DKIM public key with your domain registrar to use DKIM.

To rotate your keys, you need to update your DNS with the new public key that we generate for you.

Learn how to manually manage your DKIM keys.

We want your feedback!

Whenever we introduce a new feature in beta testing, we need your feedback to help us improve it. Your reports of problems and suggestions for improvements help us make our service better. If you have feedback, please get in touch with our Support team by following these simple instructions for web and mobile devices, or connect on our social media pages listed below.

Thank you for your support. You are helping us bring freedom and privacy to millions of users worldwide.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

10 comments on “Introducing DKIM key management, a new feature to protect against domain name impersonation

  • Hi Proton, thanks for the security update! In the docs, it says: “Once a key retires, you can leave its record in your DNS settings but delete the key value so that it looks like this” with the recommendation to remove the key value but leave the record intact as follows:
    v=DKIM1;k=rsa;p=
    Just to understand, why is this better than simply removing the relevant DNS record? Is this true only for a specific timeframe or is it recommended to leave the retired key records (without key values) in place forever?

    Thanks again.

    Reply
  • If you get a new DKIM public key, will the older emails that you signed with your previous key then appear as untrusted in your recipients’ inbox because they fail DKIM checks?

    Reply
    • No, your older emails will still be trusted. This is because the new key will have a different selector from the key used to send your previous emails.

      However, it is important to keep your old DKIM key in the DNS until the new one is activated.

      Reply
  • What happens to mails sent with an old (retired) key that are still in inboxes of recipients? Will they get an error that th key is not matching anymore?

    Reply
    • Do not worry, your older emails will still be trusted. This is because when you create a new key, it has a different selector from the key used to send your earlier emails.

      However, it is important to keep your old DKIM key in the DNS until the new one is activated.

      Reply
  • For some reason I am unable to find the option to create a new DKIM key in both the regular ProtonMail site or the ProtonMail beta site.

    Reply
    • You can do this by logging in at beta.protonmail.com. Then go to Settings -> Custom Domains and click “Edit” next to the domain you want to update. Then if you click on “DKIM” you’ll see the “Generate a new key” button. If it’s still not working out for you, please contact our support team. Thanks! https://protonmail.com/support-form

      Reply