DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is a cryptographic authentication mechanism for email that uses digital signatures to verify that an email was sent and authorized by the owner of the sending domain.
- verifies sender’s identity and integrity of the message content
- mitigates spoofing, tampering, and phishing attacks that rely on forged sender info
- utilizes a public key published as a DNS record
- uses cryptography to validate the source server for a given email message
- prevents spam and mail spoofing
- can use encrypted signatures to prove that a message really originated from the domain it claims
- can replace or supplement SPF
- To configure DKIM,
- the organization uploads a public encryption key as a TXT record in the DNS server
- embed a DKIM-Signature header in every email
- includes a digital signature that is verified by the receiving mail server using the domain’s public key
- Organizations receiving messages can use this key to verify that a message derives from an authentic server
How it Works
- when outgoing mail is processed, the domain MTA calculates a hash value on selected message headers and signs the hash using its private key
- the hash value is added to the message as a DKIM signature
- along with the sequence of headers used as inputs for the hash, the hash algorithm, and the selector record
- to allow the receiving server to locate the correct DKIM DNS record
- the receiving MTA looks up the DKIM DNS record, obtains the public key, and uses it to decrypt each has
- MTA calculates its own header hash and compares the two
- if they match, the message origin has been successfully authenticated
- Optionally, the MTA can also calculate the message body hash
- provides an integrity check mechanism for the message contents
Components
v=DKIM1;k=rsa;p=<key>v=DKIM1is the versionk=rsais the key typep=<key>is the public key