DKIM: Cryptographic Proof That Your School's Email Is Genuine

What Is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that uses public-key cryptography to sign outgoing emails. It proves two things:

1. 1The email was authorized by the owner of the signing domain
2. 2The email content (headers and body) was not modified in transit

Unlike SPF — which verifies the sending server's IP address — DKIM attaches a cryptographic signature directly to the message itself.

How DKIM Works

1. 1Your mail server generates a public/private key pair
2. 2The private key is kept secret on your mail server
3. 3The public key is published in your DNS as a TXT record
4. 4When you send an email, your mail server uses the private key to create a signature and adds it as a header
5. 5When the receiving server gets the email, it looks up your public key in DNS and uses it to verify the signature
6. 6If the signature matches → DKIM passes. If the message was altered → DKIM fails.

What a DKIM Signature Looks Like

The signature is added as a header the recipient never sees:

```

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=yourschool.edu.ph; s=google;

h=from:to:subject:date;

bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;

b=ABC123...

```

The public key DNS record looks like:

```

google._domainkey.yourschool.edu.ph TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

```

Why DKIM Matters for Schools

SPF alone isn't enough

SPF verifies the sending server, but an attacker who compromises a legitimate sending server (or uses a misconfigured relay) can still pass SPF while sending fraudulent email. DKIM's cryptographic signature cannot be forged without the private key.

DKIM catches message tampering

If an attacker intercepts your email in transit and modifies it (changes a bank account number, edits instructions), DKIM verification will fail at the destination — alerting the recipient's mail system.

Required for DMARC

DMARC — the policy that actually enforces email authentication — requires at least one of SPF or DKIM to pass with proper alignment. Without DKIM, your DMARC protection is weaker and more fragile.

Improves deliverability

Gmail, Outlook, and other providers use DKIM as a trust signal. School emails without DKIM are more likely to land in spam, which means important communications (report cards, emergency notices, enrollment confirmations) may not reach parents.

How to Set Up DKIM

DKIM setup depends on your email provider. Most generate the key pair for you.

Google Workspace

1. 1Go to Google Admin → Apps → Google Workspace → Gmail → Authenticate email
2. 2Click Generate new record for your domain
3. 3Copy the provided TXT record value
4. 4Add it to your domain's DNS as a TXT record with the name google._domainkey
5. 5Return to Google Admin and click Start authentication

Microsoft 365

1. 1Go to Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → Email Authentication Settings → DKIM
2. 2Select your domain and click Enable
3. 3Microsoft provides two CNAME records to add to your DNS

cPanel / web hosting

1. 1In cPanel, go to Email → Authentication
2. 2Enable DKIM — cPanel generates and installs the key automatically

Checking DKIM

After setup, send a test email to a Gmail address and click the three dots → Show original. Look for:

```

DKIM: 'PASS' with domain yourschool.edu.ph

```

Or use a free tool like MXToolbox DKIM Lookup to verify your DNS record is correct.

The Site Scanner also checks whether your domain has DKIM configured.

Related Resources

• SPF Email Security — authorize your sending servers
• DMARC Email Policy — enforce and monitor SPF + DKIM
• Common Attack Vectors in Philippine Schools — phishing via email spoofing