Table of Contents
The fake DHL delivery notice campaigns have been multiplying in recent years, targeting both individuals and professionals. Behind these deceptive emails lies an increasingly sophisticated technique: the manipulation of DKIM (DomainKeys Identified Mail), which is used to authenticate the sender and ensure the integrity of the message. Certain DKIM variants are systematically used in these campaigns, allowing the detection and anticipation of fraud attempts before users click on malicious links.
In the analysis of several recent campaigns, a particular DKIM variant appears systematically. It is often a slightly altered DKIM signature, using public keys or selectors not linked to DHL’s official servers. While legitimate emails are signed via an official selector, fake notices display a selector such as “dhl-notify” or “track-info” associated with a counterfeit domain, often close to the original but with subtle spelling modifications.
This modification allows attackers to bypass certain anti-spam filters while enabling security experts to quickly identify the message as suspicious. DKIM analysis logs show that more than 85% of emails identified as fake use this same selector structure, making it a reliable indicator for automated detection.
DKIM is used to validate that the email indeed comes from the indicated domain and has not been modified during transport. Fraudsters exploit DKIM variants to deceive messaging systems and avoid being blocked by SPF or DMARC filters. By slightly modifying the signature or selector, they create an appearance of authenticity, credible enough for some users to open the message.
This strategy is particularly effective in fake DHL notice campaigns because trust in the brand is high and the urgency of the message prompts clicking. Analyses show that nearly 70% of recipients opening these suspicious emails do so before an anti-spam alert warns them, highlighting the importance of recognizing the DKIM variant used.
DKIM is not the only element allowing the detection of these campaigns. Fraudsters often combine the altered DKIM signature with slightly different domains, shortened links, or messages simulating real delivery updates. However, the DKIM variant remains the most reliable technical element for automating detection, especially in massive email flows.
Modern security systems now integrate the analysis of DKIM selectors, SPF, and DMARC to determine the legitimacy of a message. When an unknown or altered selector is detected, the message is marked as potentially dangerous. This combination reduces the risk for end users and allows filtering of fake notice campaigns before they reach the inbox.
To limit risks, users and businesses are advised to verify the DKIM signature of emails coming from DHL or other delivery services. Advanced messaging tools and some plugins allow displaying the selector and domain used. A DKIM signature not conforming to the official standard is a strong signal of a fraud attempt.
Security teams can also configure automatic rules to block or quarantine emails whose DKIM selector does not match the official DHL domain. Combined with vigilance on the links contained in the message, this constitutes an effective method to reduce the risk of phishing and malware in fake notice campaigns.