An Introduction To DKIM
DKIM stands for DomainKeys Identified Mail, it helps associate a domain with an email message to help prove the authenticity of the message. DKIM is a successor of DomainKeys developed by Yahoo!, it was deprecated in 2007 but some providers still use it. DKIM was created by an informal group and was submitted to IETF for further development and standarization. DKIM uses public key encryption for signing.
The sender (sometimes the signer, not always, for example GMail/Sendmail signs it's users' message, not the users) adds a mail header field DKIM-Signature:, the receiver (not necessarily the recipient, it may be the ESP/MTA, like GMail, Yahoo! etc.) recovers the signer's public key from their DNS records - which is computed using details provided in the DKIM-Signature: header field - which is used to verify the contents of the message & it's integrity.
A DKIM-Signature: header field contains many name-value pairs, know as tags. Names are short maximun one or two letters. The b tag contains the digtal signature of the mail contents (body & headers), bh stands for the body hash i.e. a fingerprint of the body - which can be used to detect tampering, s is for selector which needs to used when fetching the public key from DNS record, d is for signing domain. These are the most important tags, there are other tags which provides the DKIM version, cryptographic algorithm, etc being used.
Here's what a typical DKIM-Signature: header field looks like:
And, here's the corrensponding DNS record for the above header which has the public key:
The receiver/receiving MTA uses the public key to match the signature provided, thereby knowing whether the message is genuine or not, also whether if it was tampered with or not.
There are filters available for all the popular MTAs like Sendmail, Postfix, PowerMTA are available online:
Sendmail - http://blog.mixu.net/2009/11/03/sett...sing-sendmail/
Postfix - http://eric.lubow.org/2009/mail/sett...m-and-postfix/
Exim - http://www.systemajik.com/blog/imple...kim-with-exim/
If you have your domain configured for Google Apps, you can easily enable DKIM in all outgoing mails, here's how to go about it http://support.google.com/a/bin/answ...&answer=174124
If you are aware of any other hosting/email provider having DKIM support like Google Apps please do post in the comments, it might help someone setting up DKIM for personal/SOHO use.
You may also sign you email with DKIM and forward it to your MTA (in case it does not support DKIM integration, or you may not have the privilege to do so), for that purpose all popular scripting & programming languages have free libraries which will help you accomplish the task. We'll cover this topic another day.
|All times are GMT +5.5. The time now is 18:45.|