DKIM signing on all sending streams
Demonstrate that all email sending streams originating from the organization's domains are configured with valid DKIM signatures to authenticate sender identity and message integrity.
Description
What this control does
DomainKeys Identified Mail (DKIM) is a cryptographic email authentication method that allows an organization to take responsibility for transmitting a message by signing it with a private key. The corresponding public key is published in the domain's DNS records, enabling receiving mail servers to verify the signature and confirm the message originated from an authorized server and was not altered in transit. This control requires all outbound email streams—including transactional mail, marketing campaigns, and user-generated messages—to be cryptographically signed using DKIM to protect domain reputation and prevent spoofing.
Control objective
What auditing this proves
Demonstrate that all email sending streams originating from the organization's domains are configured with valid DKIM signatures to authenticate sender identity and message integrity.
Associated risks
Risks this control addresses
- Attackers spoof the organization's email domain to conduct phishing campaigns against customers, partners, or employees, damaging brand reputation
- Legitimate outbound email is rejected or marked as spam by recipient mail servers due to lack of authentication, disrupting business communications
- Email content is modified in transit by adversaries or compromised mail relays without detection, enabling man-in-the-middle attacks
- Compromised accounts send unauthorized email that cannot be distinguished from legitimate messages during forensic investigation
- Domain reputation scores decline due to association with unauthenticated or spoofed messages, reducing deliverability of all organizational email
- Compliance violations occur when regulated communications lack integrity verification mechanisms required by industry standards
- Incident response teams lack cryptographic evidence to trace email provenance during security investigations or legal proceedings
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all domains and subdomains used for sending email, including production, staging, marketing, and transactional systems
- Identify all email sending mechanisms in use: mail transfer agents (MTAs), email service providers (ESPs), SaaS applications, marketing automation platforms, and SMTP relays
- Query DNS records for each sending domain to retrieve published DKIM public key records (TXT records with selector prefix, typically _domainkey)
- Select a representative sample of recent outbound email from each identified sending stream and extract message headers
- Inspect email headers for the presence of DKIM-Signature fields containing algorithm (a=), selector (s=), domain (d=), and signature hash (bh= and b=) parameters
- Verify DKIM signatures using an email authentication testing service or command-line tool (e.g., opendkim-testmsg) to confirm cryptographic validity
- Review email gateway and ESP configuration files or administrative consoles to confirm DKIM signing is enabled and properly configured with active private keys
- Test a live email transmission from each sending stream to an external verification address and validate that DKIM signatures pass authentication checks
Where this control is tested