DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. It is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers.
It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.
There are three main steps to the DKIM signing process. First, the sender identifies what fields they want to include in their DKIM signature. These fields, can include things such as the “from” address, the body and the subject as well as many others. These fields must remain unchanged in transit or DKIM authentication will fail. Second, the sender’s email platform will create a hash of the text fields included in the DKIM signature. The following text fields, for example,
From: Example "firstname.lastname@example.org"
will map to this hash string:
Once the hashstring is generated, it is encrypted with a private key, which only the sender has access to.
Finally, after the email is sent it’s up to the email gateway or consumer mailbox provider to validate the DKIM signature. To do it, they need to find the public key that will perfectly match the private key, thereby decrypting the DKIM signature back to its original hash string.
Then, the receiver generates its own hash of the fields included in the DKIM signature and compares it with the hash string they just decrypted. If they match, we know both that the fields in the DKIM signature were not changed in transit and the signer of the email truly owns the email.
DKIM DNS record example:
selector(s=)._domainkey.domain(d=). TXT v=DKIM1; p=public key
s= indicates the selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender. s= is included in the DKIM signature.
d= indicates the domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender. d= is included in the DKIM signature.
p= indicates the public key used by a mailbox provider to match to the DKIM signature.
Here is what the full DNS DKIM record looks like for progist.net:
20190919._domainkey.progist.net 300 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKQ1Dcff5lmH+uwAP/YdYN3b/
The selector (s=): 20190919
The domain (d=): progist.net
The version (v=): DKIM1
The public key (p=): MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKQ1Dcff5lmH+uwAP/
v= is the version of the DKIM record. The value must be DKIM1 and be the first tag in the DNS record.
p= is the public key used by a mailbox provider to match to the DKIM signature generated using the private key. The value is a string of characters representing the public key. It is generated along with its corresponding private key during the DKIM set-up process.
k= indicates the key type. The default value is rsa which must be supported by both signers and verifiers.
g= is the granularity of the public key. The value must match the local-part of the i= flag in the DKIM signature field (i= email@example.com) or contain a wildcard asterisk (*). The use of this flag is intended to constrain which signing address can use the selector record.
The DMARC protocol relies on SPF and DKIM to function.
SPF authenticates the sending server of an email based on the sending IPv4 or IPv6 address. Therefore, when that email gets auto forwarded, the IP address changes, causing SPF to fail. This is one of the limitations of SPF, hence you should not rely simply on SPF but also configure DKIM.
DKIM, on the other hand, authenticates the email based on the sending domain, as well as the email content, using a digital signature. Since the verification of this Public/Private keypair is performed via lookups of the sending domain's DNS records, it can be performed at any point along the forwarding, and therefore willsurvive forwarding.
DomainKeys is a deprecated email authentication system designed by Yahoo to verify the domain name of an email sender and the message integrity. Aspects of DomainKeys(DK), along with parts of Cisco 's Identified Internet Mail (IIM), were combined to create DKIM (DomainKeys Identified Mail) which provides more security and flexibility.
A DKIM selector is a string used to point to a specific DKIM public key record in your DNS. It is specified as s tag in the DKIM-Signature header field and can be found in the headers of an email.Validation on the receiver side uses the selector in combination with the signing domain in order to carry out a DNS query and find the public key in your DNS.
For example: selector._domainkey.yourdomain
Canonicalization is a process by which the headers and body of an email are converted to a canonical standard form before being signed. This can be thought of as converting data that can be represented in a number of ways into a standard canonical form. Some mailsystems modify emails in transit that can potentially invalidate DKIM. Some mail signers may require that minor mail modification is fine, and others may be more strict and require stricter canonicalization be used.
Two canonicalization algorithms have been created to satisfy mild modification toa message and almost no modification to a message before signing. The two canonicalization algorithms are relaxed and simple respectively. From DKIM’s perspective the headers and body of an email are separate and canonicalization algorithms are specified for both. They are represented in the format of: canonicalization / canonicalization for header and body respectively. If no canonicalization is specified then 'simple' is used for both headers and body, so it would look like this: simple/simple.
The simple/simple canonicalization is the stricter of the two and allows for almostno modification to the message header and body before signing. This can however affect the DKIM signature being invalidated by some forwarders as the email passes through. Many of the issues with DKIM being invalidated during forwarding can be solved if the canonicalization is changed to relaxed/relaxed to allow for mild modifications to the emails.DKIM is a method to protect against email spoofing using public-key cryptography.
To read about Setting up DKIM for On-Prem Exchange Server, So download below PDF.
To read about DKIM configuration for MailChimp, So download below PDF.
To read about Manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys in Microsoft Office 365 Exchange Online, So download below PDF.
To read about DKIM configuration for Microsoft Office 365 Exchange Online, So download below PDF.
To read about Setting up a custom MAIL FROM domain for Amazon SES, So download below PDF.
To read about DKIM configuration for Sendgrid, So download below PDF.