Explaining DKIM

Email authentication (validating the identities of the parties involved in sending an email) is a hard problem, with no one solution. Different techniques solve different parts of the problem. SPF is a technique to whitelist IP addresses for a domain’s originating address, described in my last article. DMARC is a technique that builds on SPF and DKIM to allow domain owners to enact policies and get reports. Postmark launched a free tool to help you with DMARC reporting at http://dmarc.postmarkapp.com/. DKIM is a method to protect against email spoofing using public-key cryptography. In this article, I’ll explain how it works and what protection DKIM provides.

How DKIM protects you #

DomainKeys Identified Mail (DKIM) protects against spoofing of the content of the email (both body and headers), by adding a cryptographic hash of the entire email as an SMTP header. If a message passes DKIM, then you know that the body of the message hasn’t been modified since the message was cryptographically signed.

How DKIM works #

DKIM uses public-key cryptography. This means that there is a secret key, that only the signer of the message knows, and a public key that everyone knows and can be used to verify the message. The signer of the email (which can be different from the sender) creates the hash and the receiver of the email can verify the hash by using the public key which is published in DNS. When you use Postmark, the private key is stored securely on Postmark’s servers and Postmark signs the messages when they are sent. When you create a sender signature, we give you the information on how to publish the public key in DNS.

What the DKIM email headers mean #

A DKIM-signed email adds a SMTP header named DKIM-Signature. Here is an example header signed for my personal domain, nickcanzoneri.com.

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20130830025827.pm; d=nickcanzoneri.com;
 h=From:Date:Subject:MIME-Version:Content-Type:To:Message-ID; i=info@nickcanzoneri.com;
 bh=nTZ5dMJsUUR3AQtCHx/sfVzBrXM=;
 b=ZNVolJowcNPxRbK0DxMQdUjq6+VKvK99kT1cxnuj7xOL9N0S483Na2qwG1ndmiKVYzbp/6ZKp1aH
   IWp2n+pkUUyczhXUKioLVHaNrikTvt76ODQz/GSlniMaOM7Vx8OB86C4NzJRh1/r09InAFyvqE8c
   +y2DeBtaOcqTztLaueU=

The header uses a tag=value syntax separated by semi-colons. The parts of the header are as follows:

  • v, Version—version of DKIM standard being used
  • a, Algorithm—cryptographic algorithm used to create the hash
  • c, Canonicalization—whether changes to the email like whitespace or line wrapping is allowed. More information here.
  • s, Selector—selector to query the correct public key from the d value
  • d, Domain—the domain that signed the message
  • h, Headers—the SMTP headers that are included in the cryptographic hash
  • i, Identity—the identity of the signer, in email address format
  • b, Signature—the cryptographic signature of the headers and email body

With the information in the DKIM-Signature header, a validator is able to determine the public key to use to validate the message. In the example header above, the public key is located at 20130830025827.pm._domainkey.nickcanzoneri.com. Using the domain value of nickcanzoneri.com, we know that domain keys are located as subdomains of _domainkey.nickcanzoneri.com. The selector value of 20130830025827.pm gives us the exact sub domain to use.

Using this selector syntax allows domains to have many different keys at the same time. You could have a different key for sales emails versus marketing emails, or you can add a new key and revoke older keys.

What the DKIM DNS record means #

The DNS record used with DKIM contains the public key that can be used to verify DKIM signatures. Here is the DNS record for 20130830025827.pm._domainkey.nickcanzoneri.com:

k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg/402SB9+BVlH6FIZVeVKSVtPHoU7sz/3pJZbdYZShpNLqZa7cwB9oVLBtpKvfZWlMLbKpqb7XecKjoyP+0d6qh11aDW39Zl94kOZaWhuJtOZvtWPPPxLtJGKMjHEiqDnT7uQ5VfeKJszLwhCIgwW/zEYxopvtBcQvbddSmrD3wIDAQAB

The record uses the same tag=value syntax as the email header. The parts of the DNS records are as follows:

  • p, Public key—the base64 encoded public key
  • k, Key type—the type of algorithm the public key is for

Now that a DKIM validator has the information in the DNS record and the email, they can verify if the DKIM signature is valid.

Further reading #

As always, the DKIM Wikipedia article is a pretty great resource. For technical details, the DKIM.org site has some well written memos. For more information on other techniques on fighting email spoofing, please read my article on SPF and checkout Postmark’s free tool to monitor and implement DMARC.