DomainKeys Identified Mail (DKIM): Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
← Older editNewer edit →
No edit summary
No edit summary
Line 26: Line 26:
</pre>
</pre>


The long key (p=) is the public key that matches the private key on the signing server.  
There are numerous switches that can be applied to a DKIM record. The most important are:
 
{| class="wikitable" style="margin:auto"
|+ Caption text
|-
! Switch !! Example !! Description !! Required
|-
! scope="row"| v
|| <code>v=DKIM1</code> || Version || Required
|-
! scope="row"| t
|| <code>t=s</code> || Alignment / Testing || Recommended
|-
! scope="row"| k
|| <code>k=rsa</code> || Key type || Optional
|-
! scope="row"| p
|| <pre>p=LONG KEY</pre>
|| Public key || Required
|}
 
The long key (p-switch) is the public key that matches the private key on the signing server.  


Once the message has been received, the DKIM signature can be found in the [[E-Mail header]] and it looks like this:
Once the message has been received, the DKIM signature can be found in the [[E-Mail header]] and it looks like this:
Line 40: Line 61:
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=
</pre>
</pre>
The meaning of the individual switches we see in the example is as follows:
{| class="wikitable" style="margin:auto"
|+ Caption text
|-
! Switch !! Example !! Description !! Required
|-
! scope="row"| v
|| <code>v=1</code> || Version || Required
|-
! scope="row"| a
|| <code>a=rsa-sha256</code> || Key type / Signing algorithm|| Required
|-
! scope="row"| c
|| <code>c=relaxed/relaxed</code> || Canonicalization algorithm(s) for header and body || Optional
|-
! scope="row"| d
|| <code>d=email.example.com</code> || Signing Domain Identifier (SDID) || Required
|-
! scope="row"| s
|| <code>s=reykjavik</code> || Selector || Required
|-
! scope="row"| t
|| <code>t=1117574938</code> || Timestamp || Recommended
|-
! scope="row"| i
|| <code>i=@email.example.com</code> || Sending domain (AUID) || Optional
|-
! scope="row"| bh
|| <code>bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=</code> || Body hash || Required
|-
! scope="row"| h
|| <pre>h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:
From:To:Cc:Subject;</pre>
|| list of header fields that have been signed || Required
|-
! scope="row"| b
|| <pre>b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=</pre>
|| Signature of headers and body || Required
|}
=Alignment=
''Main article: [[Alignment]]''


=Double DKIM=
=Double DKIM=

Revision as of 01:41, 31 August 2023

DKIM is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5322.From) from forgery (spoofing). DKIM is defined in RFC 6376 with updates in RFC 8301 and RFC 8463.

Functionality

Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification.

Selector

The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376: 

   selectors might indicate the names of office locations (e.g.,
   "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date
   (e.g., "january2005", "february2005", etc.), or even an individual
   user.

Public and private key

The public key is stored in a [DNS] TXT record. The selector is used to compile this DNS record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: reykjavik._domainkey.email.example.com. The DNS record looks like this: 

reykjavik._domainkey.email.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"

There are numerous switches that can be applied to a DKIM record. The most important are:

Caption text
Switch Example Description Required
v v=DKIM1 Version Required
t t=s Alignment / Testing Recommended
k k=rsa Key type Optional
p 
p=LONG KEY
 Public key Required

The long key (p-switch) is the public key that matches the private key on the signing server.

Once the message has been received, the DKIM signature can be found in the E-Mail header and it looks like this: 

   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com;
	s=reykjavik; t=1117574938; i=@email.example.com;
	bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
	h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:
	 From:To:Cc:Subject;
	b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm
	 2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH
	 By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=

The meaning of the individual switches we see in the example is as follows:

Caption text
Switch Example Description Required
v v=1 Version Required
a a=rsa-sha256 Key type / Signing algorithm Required
c c=relaxed/relaxed Canonicalization algorithm(s) for header and body Optional
d d=email.example.com Signing Domain Identifier (SDID) Required
s s=reykjavik Selector Required
t t=1117574938 Timestamp Recommended
i i=@email.example.com Sending domain (AUID) Optional
bh bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= Body hash Required
h 
h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:
 From:To:Cc:Subject;
 list of header fields that have been signed Required
b 
b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm
 2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH
 By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=
 Signature of headers and body Required

Alignment

Main article: Alignment

Double DKIM

Main article: Double DKIM

Useful links

Retrieved from "https://docs.inboxsys.com/index.php?title=DomainKeys_Identified_Mail_(DKIM)&oldid=132"