DKIM email signing

The DKIM approach

As you know email service is nowadays very abused. In order to raise the security of such transmissions, a lot of systems and technical procedures have been created. One of them is called DKIM. DKIM is a procedure to sign email messages and verify them to be sure they have not been forged.

DKIM uses an approach called “public key cryptography” in order to verify that an email message was sent from an authorized mail server to detect forgery and to prevent delivery of harmful email like spam.

This approach makes use of the cryptography and therefore uses DNS to store public data about the domain sending the email.

How does it work?

First of all, the domain owner, publish a public key as a TXT record in its domain name system. This is the public key used during the encrypting process. When the outbound email server (which is serving the mentioned domain) sends the email, it generates a DKIM signature (by its private key) and attaches it to the header of the message (the email servers owns the private key corresponding to the private one, published by TXT record of the domain). The header then includes two hashes, one of specified headers and other of the body. Finally the email, with such additional informations, is sent out.

On the receiving part, when the incoming email server receives the message, it takes the DKIM public key of the domain from the public TXT record of DNS for such domain and compares the resulting hashes to the hashes which are coming from the headers of the email. If these hashes match, then the email is genuine and not altered. The receiving part is so sure that it comes from the correct sender and it has not been altered. It’s a very powerful method!

an example of DKIM headers is as follows:

DKIM-Signature: a=rsa-sha256; d=example.net; s=brisbane;
c=simple; q=dns/txt; i=@eng.example.net;
t=1117574938; x=1118006938;
h=from:to:subject:date;
z=From:foo@eng.example.net|To:joe@example.com|
Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR

IN this example you can see the most important tags, where “d=” for the signing domain, “b=” for the actual digital signature, and “bh=” for a hash that can be verified by recalculating using the sender’s public key. As you see it is powerful in its semplicity.

Do I need DKIM?

DKIM is a powerful way to validate and authenticate your send emails. So if you are a commercial entity or an organization where you send important informations to specific audience, yes the using of DKIM is very important and you shoud implement it as soon as possible. This method guarantees both you as sender and your counterparty as received, therefore is really important. In addition, it uses cryptographic methods which are quite secure and safe.