DomainKeys Identified Mail (DKIM): Difference between revisions
Created page with "Category:Deliverability Category:Authentication DKIM is an E-Mail domain authentication method, designed to protect E-Mail sender domains from forgery (spoofing). DKIM is defined in https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376 with updates in https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301 and https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463. =Functionality= DKIM works with a public key and a private ke..." |
No edit summary |
||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Deliverability]] | [[Category:Deliverability]] | ||
[[Category:Authentication]] | [[Category:Authentication]] | ||
DKIM is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains from forgery (spoofing). DKIM is defined in | '''DKIM (DomainKeys Identified Mail)''' is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains ([[RFC5322.From]]) from forgery (spoofing). DKIM is defined in [https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376] with updates in [https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301] and [https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463]. DKIM is a requirement of [[DMARC]]. | ||
=Functionality= | =Functionality= | ||
DKIM works with a public key and a private key. The private key is | Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification. | ||
==Selector== | |||
The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376: | |||
<pre> | |||
selectors might indicate the names of office locations (e.g., | |||
"sanfrancisco", "coolumbeach", and "reykjavik"), the signing date | |||
(e.g., "january2005", "february2005", etc.), or even an individual | |||
user. | |||
</pre> | |||
The selector is used to compile a subdomain for the DKIM DNS TXT record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: ''reykjavik._domainkey.email.example.com''. | |||
==Public and private key== | |||
The public key is publicly accessible in this [[DNS]] TXT record. The full content of the DNS TXT record may look like this: | |||
<pre> | |||
v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB | |||
</pre> | |||
There are numerous switches that can be applied to a DKIM record. The ones we see here are: | |||
{| class="wikitable" style="margin:auto" | |||
|+ DKIM record switches | |||
|- | |||
! Switch !! Example !! Description !! Required | |||
|- | |||
! scope="row"| v | |||
|| <code>v=DKIM1</code> || Version || Required | |||
|- | |||
! scope="row"| t | |||
|| <code>t=s</code> || Alignment / Testing || Recommended | |||
|- | |||
! scope="row"| k | |||
|| <code>k=rsa</code> || Key type || Optional | |||
|- | |||
! scope="row"| p | |||
|| <pre>p=LONG KEY</pre> | |||
|| Public key || Required | |||
|} | |||
The long key (p-switch) is the public key that matches the private key on the signing server. This key can be obtained from your [[ISP]]/[[ESP]] or your mail server administrator. | |||
The minimum length for DKIM keys is 1024 bit. The minimum recommended length for DKIM keys is 2048 bit. | |||
Once a message has been received, the DKIM signature can be found in the [[E-Mail header]] and it looks like this: | |||
<pre> | |||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com; | |||
s=reykjavik; t=1117574938; i=@email.example.com; | |||
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; | |||
h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: | |||
From:To:Cc:Subject; | |||
b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm | |||
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH | |||
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa= | |||
</pre> | |||
The meaning of the individual switches we see in the example is as follows: | |||
{| class="wikitable" style="margin:auto" | |||
|+ DKIM header switches | |||
|- | |||
! Switch !! Example !! Description !! Required | |||
|- | |||
! scope="row"| v | |||
|| <code>v=1</code> || Version || Required | |||
|- | |||
! scope="row"| a | |||
|| <code>a=rsa-sha256</code> || Key type / Signing algorithm|| Required | |||
|- | |||
! scope="row"| c | |||
|| <code>c=relaxed/relaxed</code> || Canonicalization algorithm(s) for header and body || Optional | |||
|- | |||
! scope="row"| d | |||
|| <code>d=email.example.com</code> || Signing Domain Identifier (SDID) || Required | |||
|- | |||
! scope="row"| s | |||
|| <code>s=reykjavik</code> || Selector || Required | |||
|- | |||
! scope="row"| t | |||
|| <code>t=1117574938</code> || Timestamp || Recommended | |||
|- | |||
! scope="row"| i | |||
|| <code>i=@email.example.com</code> || Sending domain (AUID) || Optional | |||
|- | |||
! scope="row"| bh | |||
|| <code>bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=</code> || Body hash || Required | |||
|- | |||
! scope="row"| h | |||
|| <pre>h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: | |||
From:To:Cc:Subject;</pre> | |||
|| list of header fields that have been signed || Required | |||
|- | |||
! scope="row"| b | |||
|| <pre>b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm | |||
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH | |||
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=</pre> | |||
|| Signature of headers and body || Required | |||
|} | |||
=Alignment= | |||
''Main article: [[Alignment]]'' | |||
DKIM is aligned when the sender domain matches the signing domain. In correct phrasing: when the RFC5322.From domain (also "Agent or User Identifier"), represented in the i-switch, matches the "Signing Domain Identifier", represented in the d-switch. | |||
=Double DKIM= | |||
''Main article: [[Double DKIM]]'' | |||
=DKIM in InboxSys app= | |||
To check your DKIM record, [[Sending a message to the seedlist|send a message to your seedlist]] and look in the [[:Category:Authentication|authentication]] section of the [[:Category:E-Mail analysis|E-Mail analysis]]. | |||
=Useful links= | =Useful links= | ||
* [[https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376 | * [https://international.eco.de/download/223621/ E-Mail authentication for senders] | ||
* | * [https://international.eco.de/download/209121/ E-Mail authentication for recipients] | ||
* | * [https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376] | ||
* [https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301] | |||
* [https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463] | |||
* https://www.mailhardener.com/kb/how-to-use-dkim-with-ed25519 |
Latest revision as of 14:04, 3 September 2023
DKIM (DomainKeys Identified Mail) is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5322.From) from forgery (spoofing). DKIM is defined in RFC 6376 with updates in RFC 8301 and RFC 8463. DKIM is a requirement of DMARC.
Functionality
Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification.
Selector
The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376:
selectors might indicate the names of office locations (e.g., "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date (e.g., "january2005", "february2005", etc.), or even an individual user.
The selector is used to compile a subdomain for the DKIM DNS TXT record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: reykjavik._domainkey.email.example.com.
Public and private key
The public key is publicly accessible in this DNS TXT record. The full content of the DNS TXT record may look like this:
v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB
There are numerous switches that can be applied to a DKIM record. The ones we see here are:
Switch | Example | Description | Required |
---|---|---|---|
v | v=DKIM1 |
Version | Required |
t | t=s |
Alignment / Testing | Recommended |
k | k=rsa |
Key type | Optional |
p | p=LONG KEY |
Public key | Required |
The long key (p-switch) is the public key that matches the private key on the signing server. This key can be obtained from your ISP/ESP or your mail server administrator.
The minimum length for DKIM keys is 1024 bit. The minimum recommended length for DKIM keys is 2048 bit.
Once a message has been received, the DKIM signature can be found in the E-Mail header and it looks like this:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com; s=reykjavik; t=1117574938; i=@email.example.com; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: From:To:Cc:Subject; b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm 2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=
The meaning of the individual switches we see in the example is as follows:
Switch | Example | Description | Required |
---|---|---|---|
v | v=1 |
Version | Required |
a | a=rsa-sha256 |
Key type / Signing algorithm | Required |
c | c=relaxed/relaxed |
Canonicalization algorithm(s) for header and body | Optional |
d | d=email.example.com |
Signing Domain Identifier (SDID) | Required |
s | s=reykjavik |
Selector | Required |
t | t=1117574938 |
Timestamp | Recommended |
i | i=@email.example.com |
Sending domain (AUID) | Optional |
bh | bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= |
Body hash | Required |
h | h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: From:To:Cc:Subject; |
list of header fields that have been signed | Required |
b | b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm 2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa= |
Signature of headers and body | Required |
Alignment
Main article: Alignment
DKIM is aligned when the sender domain matches the signing domain. In correct phrasing: when the RFC5322.From domain (also "Agent or User Identifier"), represented in the i-switch, matches the "Signing Domain Identifier", represented in the d-switch.
Double DKIM
Main article: Double DKIM
DKIM in InboxSys app
To check your DKIM record, send a message to your seedlist and look in the authentication section of the E-Mail analysis.