DKIM or DomainKeys Identified Mail is a protocol by which the sender adds a digital signature to each email to authenticate the recipient. In other words, DKIM is one of the email sender authentication solutions.
DKIM allows the recipient to verify the authenticity of the sender’s identity by establishing a link between the email and the domain. This protocol is created with a TXT record in the DNS Zone configuration file of the domain.
In the first step, this communication is done by using the private key, encryption, creating a digital signature, and adding it to the header of the sent email.
In the second step, the sender publishes the public key, and the receiver verifies the digital signature. In this way, DKIM helps to solve the problem of detecting fake emails. Also, this protocol and SPF play a complementary role in implementing DMARC protocol policies.
DKIM functionality
The general function of DKIM consists of creating a DKIM signature on the sender’s side and verifying the DKIM digital signature on the receiver’s side.
Creating a DKIM signature
First, all spaces and spaces between the email’s words and text are removed, along with the part of the header specified in the DKIM record. This action is called Canonicalization. In this case, a concatenated text string is obtained.
This movement is because the email may find different appearance formats while passing through different servers until reaching the destination. With these deletions, you make sure that a single text string is given to the Hash function both on the sender and receiver side. This text string has a fixed output for each given hash function input.
In the following steps, we will see that this feature of the same hash function output on the receiving side shows that the original content has not been manipulated in the transmission.
In short, a hash is a mathematical function that produces a consistent and unique output for every identical input string. This function is one-way; the input value cannot be obtained from the output. Among the applications of this function in the computer world and especially in the network, we can mention the test of the accuracy of data transfer and integrity on network links and the Internet world. Because if, for example, by calculating the hash value of the data on the two sides of the receiver and the sender, we reach the equality value, we can conclude that the received data has been accepted without any errors or manipulations.
Then, the hash value of the canonicalized text string is calculated. Next, the domain owner encrypts the hash output of the second step using the private key, the key pair in his possession. Be careful that when the sender sends an email, both the hash obtained in the second step and the encryption output of this step is placed in the DKIM section of the sent email header.
The sender includes everything needed for decryption and authentication in the header content of each email. Such as the public key and header tags play a role in the hash calculation. Finally, the domain owner places the public key in a TXT record with DKIM feature for future access by potential recipients.
DKIM digital signature verification
The receiver also performs Canonicalization or removing spaces and blank spaces. This is done by knowing the headers used in the h tag. Then the hash value of the header and message content is created.
Next, the public key is received from the source domain through a DNS request.
In this step, the receiver decrypts the third step of the previous section with the digital signature (encrypted content) using the public key. Doing this reaches the hash calculated by the sender from the header and the text of the message. If this hash content is the same as the hash content calculated by the recipient, it means that the content of the email and its header have not been changed or manipulated in transmission. In other words, data integrity is maintained.
Also, matching the public key to the encrypted content, i.e., its key pair, shows that the private key used for encryption is owned by the same domain that claims to be sending the email. Therefore, the sender’s identity is confirmed for the receiver through the operation of this key pair.
Another critical point is that in DKIM, the entire message and data sent by email are not encrypted, but with the private key, only the hashed sum of the data in the header and the text of the message is encrypted. Therefore, it would be wrong to think that DKIM encrypts the entire content of the email and hides it from others because, for DKIM, a targeted nature is considered, which is to specify the integrity of the whole data and the authentication of the sender, not the confidentiality of the data.
Other unique protocols, such as STARTTLS or end-to-end encryption like GNU Privacy Guard – GPG, are used to encrypt and enforce the confidentiality of email data during transmission. Of course, this DKIM behavior has advantages; Calculating the hash of a relatively short text string requires much less processing and time than decoding a long encrypted text. For this reason, it prevents the misuse and occurrence of various denial of service or DoS attacks.
Imagine that the receiving email server is supposed to decrypt the encrypted text just for authentication. Unfortunately, by spending much time on each request, the attacker sends invalid requests repeatedly and consumes many server resources.
DKIM record structure
As we said, the DKIM record is placed in the DNS Zone configuration file of the domain. This record is a particular type of TXT record.
This record starts with example._domainkey.exampledomain.com. The example section known as Selector is the name given to this DKIM. There is no limit to the number of DKIM record definitions; For this reason, it is possible to define a DKIM record for each type of email and, as a result, a public and private key and a particular signature. For example, you can use a specific DKIM record for marketing emails and another DKIM for support emails. Note that the “example” is the same name as in the s tag in the email header.
The expression after that domainkey_. is considered part of the DKIM protocol record structure, and to create such records, it should be written in the same way as exampledomain.com. is the domain name in which the DNS zone file you create a DKIM record.
– TTL is the amount of time that DNS servers store the data of this record, and TXT specifies the type of DNS record. But the central part of the work happens in the Value section. For example, in the v=DKIM1 tag, you set the type of protocol you intend to use in the TXT record. So here is the name DKIM. The number 1 also specifies its version. Note that its values are written in capital letters and are always used as the first tag.
The k tag specifies the type of algorithm used in the public key placed in the p tag, and the p tag also contains the public key available to each email recipient and through which the correctness of hashed values and digital signatures are measured.
DKIM signature structure
The DKIM signature is what the sender adds to the header of every sent email. As mentioned earlier, this signature contains everything the recipient needs for authentication and data integrity.
Here is an example of it.
– v indicates the version used in DKIM.
– a specifies the type of algorithm used in encryption and hashing.
– c or Canonicalization shows the level of sensitivity and the methods used in removing empty spaces in the header and the main text of the message on the sender’s side to create the hash text. The statement before / specifies the mode used for the header and the word after it for the Body.
– d is the domain name to which the receiver should send the DNS request and ask for the public key.
– Each domain name can have multiple DKIM and public key records. For this reason, which public key to use is specified through the s tag or the Selector. In the DKIM structure section, you noticed that the term “example,” or any other optional name, specifies the name of the DKIM record that signed this received message. So the s tag here corresponds to the name used as a selector in the first DKIM record structure, Like the example here.
– h represents the headers that played a role in the hash creation process on the server side. These headers are used to make a hash on the receiver side.
– bh contains the unencrypted hash of the message body content. Note that the header hash is not merged with it.
– b is the data signature or the encrypted text that includes the headers specified in the h tag and the content of the message body. Note that if the receiver decrypts this encrypted text with the public key, he will get the hashed text of the combination of the header and body content of the message.
Registration of DKIM record in the ArvanCloud panel
To register a sample record in the ArvanCloud panel, click on DNS records and create a new TXT record after selecting the domain from the user panel.
Setting records using API:
Bind Format of the specified record:
Dig command output: