dkim

• DKIM

https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

Email authentication - DKIM

1 DKIM checks the message content, deploying digital signatures. Rather

than using digital certificates, the keys for signature-verification are

distributed via the DNS. That way, a message gets associated to a

domain name.



1 A DKIM-compliant ADMD generates one or more pairs of Asymmetric key

algorithm|asymmetric keys, then hands private keys to the signing MTA, and publishes public keys on

the DNS



1 The purpose of a DKIM-signature is not to assure message integrity. Often, it does

not even guarantee that a message author's data, as per a signed From:

field, has a real name or a valid mailbox. The parts to be signed are chosen so as to identify the message unequivocally. A

valid signature just states that the message did actually flow through a box

operated by that ADMD.



1 While intermediate relays usually can add header fields without

breaking existing DKIM-signatures, changing character set, adding a tag

to the subject, adding a footer, or fixing the MIME structure of a

message are likely to break them


Dkim

1 'DomainKeys Identified Mail' ('DKIM') is an email validation system designed to detect email spoofing by providing a mechanism to

allow receiving mail exchangers to check that incoming mail from a domain name|domain is authorized by that domain's

administrators. A digital signature included with the message can be validated by the

recipient using the signer's public-key cryptography|public key published in domain

name system|the DNS.


Dkim

1 DKIM is the result of merging 'DomainKeys' and 'Internet Identified Mail'. This merged specification has been the basis for a series of IETF

#External links|standards-track specifications and support

documents which eventually resulted in Internet standard|STD

[http://datatracker.ietf.org/doc/STD76?include_text=1 76].


Dkim

1 [http://blog.fastmail.fm/2009/08/13/all-outbound-email-now-being-dkim-

signed/ All outbound email now being DKIM signed]


Dkim - Overview

1 In most cases, the signing module acts on behalf of the 'author'

organization or the originating service provider by inserting a 'DKIM-

Signature:' header field


Dkim - Overview

1 DKIM is independent of Simple Mail Transfer Protocol (SMTP) routing aspects in that it operates on the

RFC 5322 message -- the transported mail's header and body -- not the

SMTP envelope defined in RFC 5321. Hence the DKIM signature survives basic relaying across multiple MTAs.


Dkim - Overview

1 DKIM allows the signer to distinguish its legitimate mail stream. It does not directly prevent or disclose abusive

behavior.


Dkim - Overview

1 This ability to distinguish legitimate mail from potentially forged mail has

benefits for recipients of e-mail as well as senders, and DKIM awareness

is programmed into some e-mail software.


Dkim - How it works

1 The DKIM-Signature header field consists of a

list of tag=value parts


Dkim - How it works

1 Note that the DKIM-Signature header field itself is always implicitly included in 'h'.


Dkim - Development

1 In September 2011, RFC 6376 merged and updated the latter two documents, while preserving the substance of the DKIM protocol


Dkim - Development

1 DKIM was initially produced by an informal industry consortium and

was then submitted for enhancement and standardization by the IETF DKIM

Working Group, chaired by Barry Leiba and Stephen Farrell, with


Dkim - Development

1 Source code development of one common library is led by 'The

OpenDKIM Project', following the most recent protocol additions, and licensing under the BSD licenses#3-clause license (New BSD License)|

New BSD License.


Dkim - Patent encumbrance

1 DomainKeys is covered by assigned to Yahoo! Inc. For the purpose of the

DKIM IETF Working Group, Yahoo! released the now obsolete DK library

under a dual license scheme: the DomainKeys Patent License

Agreement v1.2, an unsigned version of which can still be found, and GNU General Public License v2.0 (and no

other version).https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

Dkim - Advantages

1 * It allows a great reduction in abuse desk work for DKIM-enabled domains

if e-mail receivers use the DKIM system to identify forged e-mail

messages claiming to be from that domain.


Dkim - Use with spam filtering

1 However, widespread use of DKIM can prevent spammers from forging

the source address of their messages, a technique they commonly employ today.


Dkim - Anti-phishing

1 DKIM can be useful as an anti-phishing technology. Mailers in

heavily phished domains can sign their mail to show that it is



1 genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. The best way to determine the set of domains that merit this degree of scrutiny remains an open question; DKIM has an optional feature called Author Domain

Signing Practices|ADSP that lets authors that sign all their mail self-identify, but the effectiveness of this approach remains

questionable:



1 Working with eBay and PayPal, Google has effectively utilized DKIM in GMail in such a

way that any e-mail that claims to be coming from ebay.com or PayPal.com will not be accepted at all if they cannot be verified successfully with DKIM. Such

messages won't even appear in the Spam folder. Heavily phished domains that

deserve such treatment are few in number, far less than those who publish strict

policies.https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

Dkim - Compatibility

1 Because it is implemented using DNS records and an added RFC 5322

header field, DKIM is compatible with the existing e-mail infrastructure. In

particular, it is transparent to existing e-mail systems that lack

DKIM support.


Dkim - Protocol overhead

1 DKIM requires cryptographic checksums to be generated for each message sent through a mail server,

which results in overhead (computing)|computational overhead

not otherwise required for e-mail delivery


Dkim - Protocol overhead

1 This facet of DKIM may look similar to hashcash, except that the receiver

side verification is not a negligible amount of work.


Dkim - Weaknesses

1 DKIM signatures do not encompass the message envelope, which holds the return-

path and


Dkim - Weaknesses

1 message recipients. Since DKIM does not attempt to protect against mis-addressing, this does not affect its

utility.


Dkim - Arbitrary forwarding

1 As mentioned above, authentication is not the same as abuse prevention:

DKIM doesn't prevent a spammer from composing an ad at a reputable domain so as to obtain a signed copy

of the message


Dkim - Content modification

1 in format=flowed the quotes can be legally removed, which breaks DKIM signatures


Dkim - Content modification

1 The OpenDKIM Project organized a data collection involving 21 mail

servers and millions of messages. Only '92.3% of observed signatures

were successfully verified', a success rate that drops slightly (90.5%) when only mailing list traffic is considered.


Dkim - Annotations by mailing lists

1 These problems are exacerbated when filtering or relaying software adds actual changes to a message.

Although legitimate, the footer addition operated by most Electronic

mailing list|mailing lists and many central Antivirus software|antivirus solutions, formally, are exactly the

kind of message tampering that DKIM has been designed to guard

against.https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html


1 by DKIM.



1 Some suggest that these limitations could be addressed by combining

DKIM with SPF, because SPF (which breaks when messages are

forwarded) is immune to modifications of the e-mail data, and mailing lists typically use their own SMTP error address, also known as Return-Path. In short, SPF works

without problems where DKIM might run into difficulties, and vice versa.


Dkim - 2012 usage vulnerability

1 [http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread How a Google

Headhunter’s E-Mail Unraveled a Massive Net Security Hole]


For More Information, Visit:

• https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html

The Art of Servicehttps://store.theartofservice.com








dkim

Documents

dkim https

mail dkim

email authentication

dkim overview

cer slide

existing dkimsignatures

dkimcompliant admd

dns https