Skip to content
arrow_back
ISM-0861
search
ISM-0861 policy ASD Information Security Manual (ISM)

Enable DKIM Signing for Organisational Emails

Ensure emails from your organisation's domains use DKIM to verify authenticity and prevent forgery.

Preventative NC OS P ASD Information Security ManualGuidelines for emailsecure communications
record_voice_over

Plain language

This control means your organisation needs to use a security method called DKIM to ensure that emails sent from your business are genuine. It's like giving your emails a signature that proves they're really from you and not a scammer pretending to be you. If you don’t do this, someone could fake emails from your domain, which might trick your customers or partners into providing sensitive information or making wrong decisions.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2022

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for email

Section

Email gateways and servers

Topic

Domainkeys Identified Mail

Official control statement

DKIM signing is enabled on emails originating from an organisation's domains (including subdomains).
policy ASD Information Security Manual (ISM) ISM-0861
priority_high

Why it matters

Without DKIM signing, attackers can spoof your domains, increasing phishing success and causing fraud, data loss, and reputational harm.

settings

Operational notes

Regularly audit DKIM selectors/keys for all domains and rotate keys; monitor DNS and mail gateway changes to detect unauthorised DKIM disablement.

build

Implementation tips

  • IT team should enable DKIM for your organisation's email domain: This involves accessing your email provider's settings and turning on DKIM signing. You'll need to update your Domain Name System (DNS) records with the details provided by your email service to activate DKIM.
  • System administrator should update DNS records: Once DKIM is enabled, the administrator must go to your domain host's website and add a DKIM record. This record acts as a public key that email servers use to verify that your emails are authentic.
  • IT team should test DKIM configuration: After setting up DKIM, send a test email to a service that checks email authenticity. Ensure the email passes the DKIM check, confirming it was signed correctly.
  • IT manager should educate employees about DKIM: Conduct a short session with staff explaining how DKIM protects the organisation. Explain that this helps prevent email scams and that they should report suspicious emails even with DKIM in place.
  • IT team should monitor DKIM performance: Set up regular monitoring to ensure DKIM is functioning as expected. Use tools that alert you if there's an issue with email signing, so you can act swiftly.
fact_check

Audit / evidence tips

  • AskThe DNS records for DKIM: Request a screenshot or a printout of your DNS records showing the DKIM settings
  • GoodSetup will show that DKIM signing is turned on for each relevant domain
  • AskLogs or reports on email deliveries: Check the logs for indications that emails are being signed with DKIM. Good logs will show DKIM 'passed' statuses for sent emails
  • AskTo see the DKIM policy document
  • GoodWill include dates and topics covered in these educational sessions
link

Cross-framework mappings

How ISM-0861 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.

Mapping detail

Mapping

Direction

Controls