Verification of DKIM Signatures on Incoming Emails
Ensure that DKIM signatures on received emails are checked to identify legitimate sources.
Plain language
This control ensures that emails your organisation receives are verified to confirm they're from legitimate senders. This is important because if you don't check these email signatures, you might fall victim to scams or phishing attacks, thinking fraudulent emails are from trusted sources.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
DKIM signatures on incoming emails are verified.
Why it matters
If DKIM on incoming mail is not verified, spoofed or tampered emails may be accepted, increasing phishing risk, fraud, and potential data compromise.
Operational notes
Enforce DKIM verification on inbound gateways, alert on DKIM failures, and review signature failures by domain/selector to detect spoofing or misconfiguration quickly.
Implementation tips
- IT teams should ensure the email system is set up to check DomainKeys Identified Mail (DKIM) signatures. They can do this by configuring the email server settings to automatically verify these digital signatures whenever an email is received.
- The IT manager should regularly update the email system to maintain its ability to verify DKIM signatures. They can achieve this by scheduling monthly checks for any available updates or patches for the email software and applying them as needed.
- The cybersecurity officer should provide training for staff on recognising the value of DKIM signatures. This can be done using simple examples showing how verified emails appear different from non-verified ones, highlighting the 'trusted source' factor.
- Business owners should have a policy in place that outlines the importance of DKIM signature verification for email security. This policy should be communicated clearly to all staff during security briefings or through an internal memo.
- System administrators should conduct tests on email systems to ensure DKIM signature verifications are functioning correctly. They can do this by sending test emails with DKIM signatures from a legitimate source and confirming these are correctly recognised and marked by the email system.
Audit / evidence tips
-
Askthe system configuration documentation: Confirm there are settings that specify the checking of DKIM signatures
Goodis detailed yet straightforward documentation showing DKIM signature checks are enabled and active
-
Goodwould show regular instances of signature checks happening as expected
-
Aska demonstration of system capabilities: Have someone from the IT team show the process of a DKIM signature being checked in real-time
Goodis a step-by-step walkthrough showing the emails passing DKIM checks visibly
-
Goodincludes up-to-date records that show ongoing efforts in educating staff about email security and DKIM's role
-
Askthe email security policy document: Ensure it mentions DKIM signature verification and its importance
Goodis a policy document that outlines the need for and steps to verify DKIM signatures
Cross-framework mappings
How ISM-1026 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.