What DKIM does
DKIM works by adding a digital signature to the email header. This signature is generated using a private key held by the sending organisation and verified using a corresponding public key published in the organisation’s Domain Name System (DNS) records. A selector, a unique identifier, is used to differentiate multiple DKIM keys for a single domain. The signature confirms that the message hasn’t been altered in transit and that it originates from an authorised sender, bolstering trust with recipient mail servers.
DKIM in Australian tenants today
For AU mid-market organisations utilising Exchange Online, implementing DKIM is a practical step towards demonstrating due diligence under APRA CPS 234. Enabling DKIM for both the default and any custom domains is standard practice. Microsoft 365 allows for the use of both 1024-bit and 2048-bit keys, with 2048-bit being increasingly preferred for enhanced security. Regular key rotation is crucial to minimise the impact of potential key compromise, aligning with best practices for ongoing cybersecurity resilience.