Configure Email Distribution Lists to Preserve DKIM Signatures
Ensure email lists don't invalidate DKIM signatures from external senders.
Plain language
This control ensures that when you send emails through a group email list, the original email's authenticity isn't messed up. Why does this matter? If the DKIM signature isn't preserved, important emails might end up in spam folders or could be tampered with, which could damage trust and communication with your clients.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Email distribution list applications used by external senders is configured such that it does not break the validity of the sender's DKIM signature.
Why it matters
Compromised DKIM signatures can result in legitimate emails being marked as spam or malicious, damaging client trust and disrupting communication channels.
Operational notes
Regularly test distribution list behaviour to ensure forwarded mail preserves DKIM validity and avoids header/body rewrites that invalidate signatures.
Implementation tips
- The IT team should review how email distribution lists are set up. They need to make sure that when emails are sent through these lists, the DKIM signature from the original sender remains intact. This can be done by avoiding changes to the email content or headers that might invalidate the DKIM signature.
- System administrators should enable email gateway features that support DKIM. They need to configure these settings to ensure DKIM signatures are verified and not altered, which means setting parameters to leave the signed portions of emails unchanged.
- The IT department should work with the email service provider to understand DKIM requirements. They should confirm the provider supports DKIM and discuss ways to maintain integrity when emails pass through distribution lists. This could involve reviewing the provider's best practices or configuration options.
- Business managers should periodically check how external emails are managed by the office email system. They should work with the IT team to test sending emails through distribution lists and confirm the DKIM signature is preserved. This involves sending a test email and checking the headers for the DKIM signature.
- Email administrators should educate staff on the importance of DKIM and its role in email security. They should provide basic guidance on how email distribution lists should be used to avoid issues that can lead to DKIM signature problems, such as unnecessary editing of forwarded emails.
Audit / evidence tips
-
Askthe email distribution list configuration settings: Request a detailed configuration report from the IT team
Goodwill show settings that explicitly mention preserving email headers and content
-
Asklogs of email transmissions through distribution lists: Request a log showing emails sent through lists
Goodwill indicate no changes to DKIM signatures
-
Askdocumentation on email provider details: Request material that confirms the email service's support for DKIM
Goodwill have clear provider documentation on how DKIM is maintained
-
Askrecords of employee training on email handling: Request records of training sessions on preserving email integrity
Goodwill have evidence of recent training that included DKIM and email handling best practices
-
Aska report from a recent email security review: Request a report showing a security audit of the organisation's email practices
Goodwill show a review date and corrective actions taken
Cross-framework mappings
How ISM-1027 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1027 requires organizations to configure email distribution list applications used by external senders to ensure the sender’s DKIM si... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.