JanosWhat is a DKIM Signature?
The DKIM Signature is an Email Header with information used by a receiving server to determine the authenticity of an email.
How does the DKIM Signature work?
The main part of the DKIM Signature is a string containing certain Email Headers, which has been encrypted with a specific Private Key by the sending server.
A DKIM DNS Record from the Envelope Sender or Header From domain provides a specific Public Key needed by the receiving server to decode the DKIM Signature.
The given Public Key can only decode strings that have been encrypted with a specific Private Key, and the encryption technology behind generating this key pair makes it impossible to “guess” the Private Key required to generate an encrypted string that a given Public Key would then be able to decode.
By confirming the values of the existing Email Headers are identical to those decoded from the DKIM-Signature, the receiving server validates that the email has been sent by a server authorized to send email for the Envelope Sender or Header From.
DMARC requires the Public Key to be provided via a DNS Record from the Header From domain, adding an extra layer of security when it comes to spam, spoofing, and phishing emails using fake or unauthorized email addresses in the Header “From:” field.
Read more on: DMARC – Explained
What Email Headers go in a DKIM Signature?
Included Email Headers
The basic rule for choosing headers to be include in the DKIM Signature is to select those that constitute the “core” of the message. Common email headers included in a DKIM Signature are:
- From (REQUIRED)
- Reply-To
- Subject
- Date
- To, Cc
- Resent-Date, Resent-From, Resent-To, Resent-Cc
- In-Reply-To, References
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
Included Email Headers
The basic rule for which headers to exclude from a DKIM Signature is to select those for which there are multiple fields with the same value and/or fields that are modified in transit.
Examples of these are:
- Return-Path
- Received
- Comments, Keywords
Sources & Further Reading
Official & Regulatory
- RFC6376 – DomainKeys Identified Mail (DKIM) Signatures
https://tools.ietf.org/html/rfc6376 - DomainKeys Identified Mail (DKIM)
http://www.dkim.org
Industry
- What is DomainKeys Identified Mail (DKIM) alignment for DMARC?
https://help.returnpath.com/hc/en-us/articles/220564567-What-is-DomainKeys-Identified-Mail-DKIM-alignment-for-DMARC- - What are the SPF, DKIM and DMARC tools and how do they operate?
https://freshmail.com/blog/spf-dkim-dmarc-tools-what-are-they-and-why-are-they-useful/
Montu
