Get a basic understanding of what Domain-Keys Identified Mail is and how it affects your mail.
DKIM is an email authentication method that helps prevent email spoofing, which is a common technique used in phishing and spam emails.
What is DKIM?
DKIM stands for DomainKeys Identified Mail, a standard that allows email senders to digitally sign their messages and verify their domain identity. DKIM helps to prevent email spoofing, phishing, and spam by enabling receivers to check if the email was sent by an authorized source and if it was modified in transit. DKIM uses public-key cryptography, where the sender publishes a public key in their domain's DNS records and signs each email with a private key. The receiver can then use the public key to verify the signature and the domain of the sender.
How does DKIM work?
DKIM works by adding a special header field to each email message, called the DKIM-Signature, which contains information about the signing domain, the selector, the algorithm, the hash, and the signature. The selector is a string that identifies which public key to use for verification. The algorithm is the cryptographic method used to generate the hash and the signature. The hash is a digest of the email content, excluding the DKIM-Signature field. The signature is the result of encrypting the hash with the private key. When the receiver gets the email, they can extract the DKIM-Signature field and use the selector to find the corresponding public key in the sender's DNS records. They can then decrypt the signature with the public key and compare it with the hash of the email content. If they match, the email is authenticated and has not been tampered with.
Why is DKIM important?
DKIM is important because it helps to protect the integrity and reputation of email senders and receivers. By verifying the domain identity of the sender, DKIM can reduce the risk of phishing, spoofing, and spam, which can harm the trust and security of email users. DKIM can also improve the deliverability and visibility of legitimate emails, as they are less likely to be filtered or marked as spam by email providers and recipients. This can increase the engagement and conversion rates of email marketing campaigns and newsletters. DKIM can also complement other email authentication standards, such as SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), to provide a more comprehensive and robust solution for email security and reputation.
What are the limitations of DKIM?
DKIM is not a perfect solution for email authentication and security, as it has some limitations and challenges. Some of them are:
DKIM does not guarantee the identity of the actual sender, only the domain. For example, an attacker can compromise a legitimate email account and send spoofed emails with a valid DKIM signature. To mitigate this, email providers and recipients should also check the From and Reply-To fields of the email and use other methods to verify the sender's identity, such as SPF and DMARC.
DKIM does not prevent the forwarding or relaying of emails, which can break the DKIM signature and cause false negatives. For example, if a user forwards an email to another address, the email content may be modified by the forwarding agent, such as adding a header or a footer, which can invalidate the DKIM signature. To avoid this, email senders should use a relaxed canonicalization algorithm, which ignores minor changes in the email content, and email receivers should use a tolerant verification policy, which allows some errors in the DKIM signature.
DKIM requires the cooperation and coordination of email senders and receivers, as well as the management and maintenance of public and private keys and DNS records. This can be complex and costly, especially for large and dynamic email domains. To simplify this, email senders and receivers can use third-party services or tools that can handle the DKIM implementation and configuration for them.
DKIM Syntax
The syntax of DKIM is defined by RFC 6376, which specifies the format and rules for the DKIM-Signature header field, the public key DNS record, and the signing and verification algorithms.
The DKIM-Signature header field consists of a series of tag-value pairs, separated by semicolons, that provide information about the DKIM signature. The tags are case-insensitive and have the following meanings:
v: The version of DKIM. The current version is 1.
a: The algorithm used to generate the hash and the signature. The supported algorithms are rsa-sha1 and rsa-sha256.
b: The signature data, encoded in base64.
bh: The hash of the email content, encoded in base64.
c: The canonicalization algorithm used to normalize the email headers and body before hashing. The supported algorithms are simple and relaxed.
d: The domain of the signing entity.
h: The list of header fields that are included in the signature, separated by colons.
i: The identity of the signing agent, which can be a subdomain or a user within the signing domain.
l: The length of the email body that is signed, in bytes. If omitted, the whole body is signed.
q: The query method used to retrieve the public key. The supported method is dns/txt, which means the public key is stored in a TXT record in the DNS.
s: The selector that identifies the public key to use for verification.
t: The timestamp of when the signature was created, in seconds since 00:00:00 on January 1, 1970 UTC.
x: The expiration time of the signature, in seconds since 00:00:00 on January 1, 1970 UTC. If omitted, the signature does not expire.
z: The original header fields that were signed, encoded in base64. This tag is optional and only used for debugging purposes.
An example of a public key DNS record is:
Selector:
dkimkey._domainkey.example.com.
Value:
"v=DKIM1; h=sha256; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfjgu4wJ4hm7T3cjhYfyX3WfZwLGNqJtU2Ol1i8sT1o3F1FbZI4P7FqQW7MkMfsHnY6f7loG+RwkZsKdowq+8Gg9G2xRF1YJynBKLpdX4eR4Q2m5F3LjMfQSSMmN1CRrSeyRGNVQqjxweG5lJfR0GZsT7hnrccllH+oL1HhQIDAQAB"