What is DomainKeys Identified Mail – DKIM ?

DKIM is an email authentication protocol designed to detect email spoofing. It allows the receiver to check that an email claiming to come from a specific domain was indeed authorized by the owner of that single domain. This is achieved through cryptographic authentication, utilising a public and private key pair. DKIM authentication is now widely used by most Email service providers for outgoing messages, if you do not have your own DKIM records, you may find you are starting to have Email delivery problems to certain recipients. 

What is the history of DomainKeys Identified Mail – DKIM ?

As with the other Email authorization protocols DKIM, has a long history. It is only in the past few years that adoption has increased and we now see the large Email providers – Gmail and Microsoft 365, pushing for the adoption of this protocol through their mail servers. 

2004: Yahoo! introduced the concept of DomainKeys, this system used a cryptographic signature to verify the authenticity of Emails.

In 2007: Cisco’s Identified Internet Mail (IIM) was merged with DomainKeys to create DKIM. This new protocol combined the best elements of both systems.

In the same year, 2007: DKIM was published as an open standard in RFC 4871.

By 2011: DKIM was updated and defined in RFC 6376, with further updates in RFC 8301 and RFC 8463.

DomainKeys Identified Mail – DKIM Work?

DKIM works by adding a digital signature to the headers of an email message. Here’s a step-by-step breakdown:

1. Key Pair Generation: The domain owner generates a pair of cryptographic keys: a private key and a public key. The private key is kept secure on the sender’s server, while the public key is published in the DNS records of the domain on the domain host as a txt record.
2. Signing the Email: When an email is sent, the sending server uses the private key to create a unique DKIM signature. This signature is a hash value generated from the email’s headers and body, encrypted with the private key. The signature is then added to the email’s headers.
3. Publishing the Public Key: The public key is stored in the DNS records of the sender’s domain. This allows receiving servers to retrieve it when needed.
4. Verifying the Signature: When the email reaches the recipient’s server, the server retrieves the public key from the DNS records. It uses this key to decrypt the DKIM signature and compare it with a newly generated hash of the received email. If the values match, the email is verified as authentic and unaltered.

What are the key components of DomainKeys Identified Mail – DKIM ?

• DKIM-Signature Header: This header contains the DKIM signature and various parameters such as the version, algorithm, domain, and selector.
• DKIM Selector: A DKIM selector is used to locate the public key in the DNS records. It allows domain owners to use multiple keys for different purposes or rotate keys without affecting email delivery.
• Canonicalization: This process ensures that minor changes in the email (like whitespace adjustments) do not affect the DKIM signature. There are two canonicalization methods: simple and relaxed

What is the DomainKeys Identified Mail – DKIM Mail Flow?

1. Email Composition and Sending

• User Composes Email: The email sender writes an email using their email client (e.g., Outlook, Gmail).
• Email Sent to Outgoing Mail Server: The email client sends the composed email to the sender’s outgoing mail server (SMTP server).

2. DKIM Signing Process

• • Generate DKIM Signature: The outgoing mail server generates a DKIM signature for the email. This involves:
    • Hashing: Creating a hash of the email’s headers and body.
    • Encrypting: Encrypting the hash with the domain’s private key to create the DKIM signature.
  • Add DKIM-Signature Header: The DKIM signature is added to the email header as a DKIM-Signature header. This header includes:
    • The domain name.
    • The selector (used to locate the public key in DNS).
    • The algorithm used for hashing and encryption.
    • The actual signature.

3. Email Transmission

• Email Sent to Recipient’s Mail Server: The email, now with the DKIM-Signature header, is sent over the internet to the recipient’s mail server.

4. DKIM Verification Process

• Retrieve Public Key: The receiving mail server retrieves the public DKIM keys from the sender’s domain DNS records using the selector specified in the DKIM header.
• Decrypt DKIM Signature: The receiving server uses the public key to decrypt the DKIM signature, obtaining the original hash value.
• Generate New Hash: The server generates a new hash from the received email’s headers and body.
• Compare Hashes: The recipient server compares the decrypted hash (from the DKIM signature) with the newly generated hash:
  • Match: If the hashes match, the email is verified as authentic and unaltered.
  • Mismatch: If the hashes do not match, the email may have been tampered with or is not from the claimed domain. 

5. Email Delivery

• Spam and Security Checks: The recipient’s mail server may perform additional checks (e.g., SPF, DMARC, spam filters).
• Email Delivered to Inbox: If the email passes all checks, it is delivered to the recipient’s inbox. If it fails, it may be marked as spam or rejected.

A detailed example of DKIM mail flow

1. Jane (sender) sends an email to Fred (recipient) from jane@pip.com.au

2. DKIM Signing:

•  Jane’s outgoing mail server (pip.com.au) generates a DKIM signature for the email.
• The server hashes the email’s headers and body, then encrypts the hash with pip.com.au’s private key.
• The DKIM-Signature header is added to the email header.

   

3. Email Transmission:

• The email is sent to Fred’s Email address via Fred’s mail server.

4. DKIM Verification:

• Fred’s mail server retrieves the public key from pip.com.au’s DNS records.
• The server decrypts the DKIM signature from the message header to get the original hash.
• The server generates a new hash from the received email.
• The server compares the two hashes.

5. Email Delivery

• If the hashes match, the email is verified and delivered to Fred’s inbox.
• If the hashes do not match, the email may be flagged as suspicious.
  
  

How is DomainKeys Identified Mail – DKIM different form other email authentication protocols ?

• SPF (Sender Policy Framework): An SPF record verifies the sender’s IP address against the domain’s DNS records. This email authentication method, ensures that the email is sent from an authorized server.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds on DKIM and SPF by providing a way for domain owners to publish policies on how to handle emails that fail authentication checks.

How do I implement DomainKeys Identified Mail – DKIM ?

Of course if you are a PIP client, all you need to do is request DKIM implementation on your Domain and Email services via you PIP account representative.

Otherwise, to implement DKIM, follow these steps:

1. Generate DKIM Keys: Use a tool or ask your third-party email service provider to generate the private and public keys.
2. Publish the Public Key: Find your DNS servers or domain provider via your Domain Registrar and add DNS TXT record with the public key to your domain’s DNS records.
3. Configure Your Mail Server: Set up your on-premises mail server or ask your email provider, to sign outgoing emails with the private key.
4. Test Your Setup: Use online tools to verify that your DKIM configuration is working correctly.      

Conclusion and Benefits of DKIM

DKIM plays a crucial role in securing email communication by providing a mechanism to verify the authenticity and integrity of emails. By understanding the detailed flow of an email with DKIM, you can appreciate how this protocol is a powerful tool for enhancing email security and protecting against spoofing and phishing attacks.

Providing your organisation and domain with – 

• Integrity: Ensures the email content has not been altered.
• Authentication: Verifies the sender’s domain, reducing the risk of spoofing.
• Reputation: Helps maintain good sender reputation by preventing unauthorized use of your Email domain.

 

If you have any specific questions or need further details, please contact PIP direct.