Enable DKIM Signing for Organisational Emails
Ensure emails from your organisation's domains use DKIM to verify authenticity and prevent forgery.
Plain language
This control means your organisation needs to use a security method called DKIM to ensure that emails sent from your business are genuine. It's like giving your emails a signature that proves they're really from you and not a scammer pretending to be you. If you don’t do this, someone could fake emails from your domain, which might trick your customers or partners into providing sensitive information or making wrong decisions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
DKIM signing is enabled on emails originating from an organisation's domains (including subdomains).
Why it matters
Without DKIM signing, attackers can spoof your domains, increasing phishing success and causing fraud, data loss, and reputational harm.
Operational notes
Regularly audit DKIM selectors/keys for all domains and rotate keys; monitor DNS and mail gateway changes to detect unauthorised DKIM disablement.
Implementation tips
- IT team should enable DKIM for your organisation's email domain: This involves accessing your email provider's settings and turning on DKIM signing. You'll need to update your Domain Name System (DNS) records with the details provided by your email service to activate DKIM.
- System administrator should update DNS records: Once DKIM is enabled, the administrator must go to your domain host's website and add a DKIM record. This record acts as a public key that email servers use to verify that your emails are authentic.
- IT team should test DKIM configuration: After setting up DKIM, send a test email to a service that checks email authenticity. Ensure the email passes the DKIM check, confirming it was signed correctly.
- IT manager should educate employees about DKIM: Conduct a short session with staff explaining how DKIM protects the organisation. Explain that this helps prevent email scams and that they should report suspicious emails even with DKIM in place.
- IT team should monitor DKIM performance: Set up regular monitoring to ensure DKIM is functioning as expected. Use tools that alert you if there's an issue with email signing, so you can act swiftly.
Audit / evidence tips
-
Askthe DNS records for DKIM: Request a screenshot or a printout of your DNS records showing the DKIM settings
-
Goodsetup will show that DKIM signing is turned on for each relevant domain
-
Asklogs or reports on email deliveries: Check the logs for indications that emails are being signed with DKIM. Good logs will show DKIM 'passed' statuses for sent emails
-
Askto see the DKIM policy document
-
Goodwill include dates and topics covered in these educational sessions
Cross-framework mappings
How ISM-0861 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.