DomainKeys Identified Mail (DKIM): Difference between revisions
Jump to navigation
Jump to search
Created page with "Category:Deliverability Category:Authentication DKIM is an E-Mail domain authentication method, designed to protect E-Mail sender domains from forgery (spoofing). DKIM is defined in https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376 with updates in https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301 and https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463. =Functionality= DKIM works with a public key and a private ke..." |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Deliverability]] | [[Category:Deliverability]] | ||
[[Category:Authentication]] | [[Category:Authentication]] | ||
DKIM is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains from forgery (spoofing). DKIM is defined in [[https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376]] with updates in [[https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301]] and [[https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463]]. | '''DKIM''' is an E-Mail domain [[:Category:Authentication|authentication]] method, designed to protect E-Mail sender domains ([[RFC5322.From]]) from forgery (spoofing). DKIM is defined in [[https://www.rfc-editor.org/rfc/rfc6376.html RFC 6376]] with updates in [[https://www.rfc-editor.org/rfc/rfc8301.html RFC 8301]] and [[https://www.rfc-editor.org/rfc/rfc8463.html RFC 8463]]. | ||
=Functionality= | =Functionality= | ||
DKIM works with a public key and a private key. The | Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification. | ||
==Selector== | |||
The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376: | |||
<pre> | |||
selectors might indicate the names of office locations (e.g., | |||
"sanfrancisco", "coolumbeach", and "reykjavik"), the signing date | |||
(e.g., "january2005", "february2005", etc.), or even an individual | |||
user. | |||
</pre> | |||
==Public and private key== | |||
The public key is stored in a [DNS] TXT record. The selector is used to compile this DNS record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: ''reykjavik._domainkey.email.example.com''. The DNS record looks like this: | |||
<pre> | |||
reykjavik._domainkey.email.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB" | |||
</pre> | |||
The long key (p=) is the public key that matches the private key on the signing server. | |||
Once the message has been received, the DKIM signature can be found in the [Mail Header] and it looks like this: | |||
<pre> | |||
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com; | |||
s=reykjavik; t=1117574938; i=@email.example.com; | |||
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; | |||
h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: | |||
From:To:Cc:Subject; | |||
b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm | |||
2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH | |||
By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa= | |||
</pre> | |||
=Useful links= | =Useful links= | ||
Revision as of 00:35, 31 August 2023
DKIM is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5322.From) from forgery (spoofing). DKIM is defined in [RFC 6376] with updates in [RFC 8301] and [RFC 8463].
Functionality
Each message is digitally signed by the sending server when it's being sent. DKIM works with a public key and a private key for signing and a selector for identification.
Selector
The selector assures that multiple DKIM records can be set on a single sender domain. Selectors can be any phrase. Here's an example from RFC 6376:
selectors might indicate the names of office locations (e.g., "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date (e.g., "january2005", "february2005", etc.), or even an individual user.
Public and private key
The public key is stored in a [DNS] TXT record. The selector is used to compile this DNS record. If, for example, the selector is "reykjavik" and the senderdomain is "email.example.com", the following subdomain should be created: reykjavik._domainkey.email.example.com. The DNS record looks like this:
reykjavik._domainkey.email.example.com descriptive text "v=DKIM1; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vuPa8g6qdfYLi9TWfbMzFoijdNfJC6/a0uGfIj6fOr+z1fJlOsM1DhKaEaSkNeI0ClKjLx9648CfMl02TxViTvG1Ne2sDsFvGc53NzEd65I2BsPuLpBsHo5zXbZ1ZvLhFm+iOjXlPnD1WlOeQuDhFdIdR+1lWt5aExNwBvIqBr+nYfJt094h9fUwXxMpJ+75GtBdAo3j2nOlWlZtCkWnDmCsXd0j6nNrHz0fO8VqCcJmQsP1ThUgBlO7T3L4PiVg1yHbDpKyTgVb6zHpYt/cXiKmIxVn6nQoDxL9ZfQ2EmVi7hUfMcSoFpWdIpYuOnMmPgPk47J+YZjv4N2X6UpSQIDAQAB"
The long key (p=) is the public key that matches the private key on the signing server.
Once the message has been received, the DKIM signature can be found in the [Mail Header] and it looks like this:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.example.com; s=reykjavik; t=1117574938; i=@email.example.com; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe: From:To:Cc:Subject; b=nXiJoG9QuMwPyLsCw0yCx2bCd92K89bGgOb/nUsFpUuHvRfM9M1QnQaPdTaJu7pBm 2Yl7xHdSqXj6cU2Y2MoDeFgBkFpSa14ZiByX7VwPq8eGiNzB2580l52LtBeVxKtWrH By9oU96j4h7bMxRgYvTe/r7dWaHbGaIwMwNc4eXa=