A Quick Introduction to DKIM
As noted in our previous blog post, one of the inherent problems with email is that historically there is no universally accepted way to establish the authenticity of a message. There is no way, for instance, to prove that the purported sender of an email is the true sender. The original standard for sending/receiving email via the Internet (SMTP) does not include a way to check the authenticity of a message.
In recent years, email security advocates have introduced a few techniques to add a layer of security: SPF, DKIM, and DMARC. We described SPF in our July post. In this article, we'll introduce DKIM (DomainKeys Identified Mail).
DKIM was developed as a way to answer a simple, but challenging question: was an email altered in any way from the time it was sent until the time it was received? Because email messages are essentially text messages that can easily be altered, there's no guarantee that an email won't be changed as it traverses the Internet on its way from the sending email hosting provider to the receiving provider. DKIM provides "security" by adding a digital signature to each message.
To ensure that the digital signatures can be read by all email servers, to implement DKIM, a domain owner must first publish a public DKIM cryptographic authentication key to DNS. Once the DNS records are set up, and a private DKIM authentication key is configured internally, DKIM is ready to go.
The DKIM process basically involves two steps: (i) signing and (ii) verifying. When an email is sent, the sending email server attaches a digital signature to the email header. This "digital signature" is created by calculating the hash value of designated parts of the email and encrypting the hash using the private cryptographic authentication key. When the receiving email server receives the email, it sees there's a DKIM signature, it performs a DNS query to fetch the public DKIM authentication key, uses it to decrypt the digital signature (i.e. hash), and then calculates its own hash based on the received email. If the two hashes match, the DKIM signature is deemed "valid."
To learn more about email security, contact the Tensyl team.