Implementing DKIM – Signing and Validation
Domain Keys Identified Mail (DKIM) is one of the two email authentication mechanisms (the other is Sender Policy Framework) used in the DMARC (Domain-based Message Authentication Reporting and Conformance) specification. It allows an email receiver to verify the sender of an email, as well as the integrity of the message contents.
DKIM defines a domain-level digital signature validation framework for email through public key cryptographic authentication, using the domain name service as its key server technology.
With the DKIM signature mechanism, an email signer first chooses an identifier (also known as Signing Domain Identifier or SDID), then digitally signs the message and finally adds the signature information using a DKIM header field as described in the signing process of this document. After the email is sent, the recipient obtains the domain name and the "selector" from the DKIM header field, acquires the public key associated with the name and verifies the signature.
The detailed implementation of DKIM will vary according to the mail and server technology. Below is the configuration process:
- Generate the pair of keys. Many mail technologies have a proprietary method to create a key pair, or use an online DKIM key generator.
- Generate the configuration file and private key for signing emails. See mail technology documentation for the proprietary method to store DKIM private keys.
- Post the public key to DNS. A public key will be stored on the domain’s DNS. The syntax of the public key is as follows:
SelectorName: corresponds to the name of the subdomain authorized for sending emails on behalf of the main domain.
_domainkey: A reserved word must be included in order to identify the public key. It is important to use the underscore“_” before the word domainkey.
DomainName.com: Name of the domain that will be protected with DMARC Compass™.
- Verify the changes were applied through a DNS Lookup of the domain.
- To perform this query use any DNS tool available. The query requests the contents of the TXT record from the DNS.
- It is necessary to determine what part of the email will be signed (header, body or both). This is important for evaluating the email’s integrity.
- A hash of the outgoing email is generated, and the contents are encrypted using the private key (RSA encoding). This key is paired with the public key and corresponds to a single selector (sender) + secure domain.
- The header “DKIM-Signature” is inserted in the email. This header contains the parameters of the generated DKIM signature.
a=Algorithm used for the signature
c=Canonization algorithm - simple does not tolerate any changes, while relaxed can tolerate simple changes, such as blank spaces (simple is the default value).
h=List of signed fields
- Once the receiving server identifies a DKIM signature inside the message, it extracts the domain and selector used for signing the email (parameters d & s).
- The server then queries the identified domain’s public DNS searching for the public key.
- When the public key is obtained, the receiving server generates a hash of the received email.
- At the same time, the contents of the DKIM are decrypted using the public key in order to obtain a hash.
- If the resulting hash matches the one generated from the received email, there is a key match. If this is the case, DKIM approval is granted. If not, email validation fails.
- Conduct periodic delivery and signing tests.
- Define email security strategies to complement DKIM such as SPF.
- Provide all the resources necessary for ensuring that the email infrastructure is updated and adequate for DKIM signing.
To learn more about how email authentication mechanisms protect the communication channel, see this datasheet.