Domain Keys Identified Mail (DKIM)

Email DNS

DKIM validates a domain name identity that is associated with a message through cryptographic authentication. DKIM attaches a new domain name identifier to a message's header to validate authorization for its presence. The identifier is independent of any other identifier in the message.

images/webmaster/dkim-process.jpg

DKIM signature means that the owner of the domain name is accountable for the message. When the signature is generated, the public key used to generate it and it is stored at the listed domain. After receiving the email, the recipient MTA (Mail Transfer Agent) can verify the DKIM signature by recovering the signer's public key through DNS. If these two match, then the email has not been altered. This gives some security that the email was originated from the listed domain.

DKIM and SPAM Messages

Senders of the email suffer when their domain is forged and used in phishing because it diminishes the trust in their real messages. The recipients don’t have a way to verify that the message was actually sent from the real source.

If the email is from a trusted domain and is successfully verified through DKIM, the email may have its SPAM score reduced. If the email's DKIM signature cannot be verified (because the email was faked or for another reason), the email might be marked as SPAM.

Example of DKIM Header

The receiving SMTP server uses the domain name and the selector to perform a DNS lookup.

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
 c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
 h=from:to:subject:date:keywords:keywords;
 bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
 b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
 VoG4ZHRNiYzR

Explanation

  • v is version
  • a is signing algorithm
  • d is domain name
  • s is selector
  • c is canonicalization algorithm for header and body
  • q is default query method
  • l is length of the canonicalized part of the body
  • t is signature time stamp
  • x is expire time
  • h is list of signed header fields
  • bh is body hash
  • b is actual digital signature

How does DKIM Work

Public Key Cryptography uses a pair of keys - Private Key and Public Key. Private Key is kept safe by the author of the email. The Public Key permits anyone to verify that a signature made with the corresponding Private Key is valid. DKIM uses DNS to publish the Public Keys, so that any party that wants to validate a signature can easily find the public key. 

When you send an email to a recipient, you add the signature in an email header and the message is then sent normally by the mail server. At any point in travel, and at the recipient’s ISP, the signature is validated using the public key. Spoofed emails won’t carry a valid signature so these are now easy to detect.

History of DKIM

Because of the limitation in the architecture of email, two proposals emerged: Yahoo’s DomainKeys and Cisco’s Identified Internet Mail. Both were based in the use of Public Key Cryptography, a technique that allows an author to create a signature allowing anyone to verify that whatever was signed wasn’t altered. 

In 2005, a consortium of internet companies submitted draft DKIM specification to the IETF (Internet Engineering Task Force). DKIM was a derivative work based on the work of Yahoo and Cisco.

How to add DKIM

DKIM Public Key data is published in the DNS as TXT records. You can add such records in the DNS Zone Editor. In cPanel, you can enable or disable DKIM under Email Authentication section.