Understanding DomainKeys Identified Mail (DKIM)

Overview

DKIM provides for two distinct operations, signing and verifying. Either of them can be handled by a module of a mail transfer agent (MTA). The signing organization can be a direct handler of the message, such as the author, the submission site or a further intermediary along the transit path, or an indirect handler such as an independent service that is providing assistance to a direct handler. Signing modules insert one or more DKIM-Signature: header fields, possibly on behalf of the author organization or the originating service provider. Verifying modules typically act on behalf of the receiver organization, possibly at each hop.

The need for this type of validated identification arose because spam often has forged addresses and content. For example, a spam message may claim to be from sender@example.com, although it is not actually from that address or domain or entity, and the spammer’s goal is to convince the recipient to accept and to read the email. It is difficult for recipients to establish whether to trust or distrust any particular message or even domain, and system administrators may have to deal with complaints about spam that appears to have originated from their systems but did not. DKIM specification allows signers to choose which header fields they sign, but the From: field must always be signed. DKIM allows the signer (author organization) to communicate which emails it considers legitimate. It does not directly prevent or disclose abusive behavior. This ability to distinguish legitimate mail from potentially forged mail has benefits for recipients of e-mail as well as senders.

DKIM is independent of Simple Mail Transfer Protocol (SMTP) routing aspects in that it operates on the transported mail’s header and body, not the SMTP envelope. Hence the DKIM signature survives basic relaying across multiple MTAs.

How it works

DomainKeys_Identified_Mail_(DKIM)

The DKIM-Signature header field consists of a list of tag=value parts. Tags are short, usually only one or two letters. The most relevant ones are b for the actual digital signature of the contents (headers and body) of the mail message, bh for the body hash, d for the signing domain, and s for the selector. The default parameters for the authentication mechanism are to use SHA-256 as the cryptographic hash and RSA as the public key encryption scheme, and encode the encrypted hash using Base64.

Both header and body contribute to the signature. First, the message body is hashed, always from the beginning, possibly truncated at a given length (which may be zero). Second, selected header fields are hashed, in the order given by h. Repeated field names are matched from the bottom of the header upward, which is the order in which Received: fields are inserted in the header. A non-existing field matches the empty string, so that adding a field with that name will break the signature. The DKIM-Signature: field of the signature being created, with bh equal to the computed body hash and b equal to the empty string, is implicitly added to the second hash, albeit its name must not appear in h —if it does, it refers to another, preexisting signature. For both hashes, text id canonicalized according to the relevant c algorithms. The result is b. Algorithms, fields, and body length are meant to be chosen so as to assure unambiguous message identification while still allowing signatures to survive the unavoidable changes which are going to occur in transit. No data integrity is implied.

The receiving SMTP server uses the domain name and the selector to perform a DNS lookup. For example, given the signature

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
 c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
 h=from:to:subject:date:keywords:keywords;
 bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
 b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
 VoG4ZHRNiYzR

A verifier queries the TXT resource record type of brisbane._domainkey.example.net. Here, example.net is the author domain to be verified against (in the d field), brisbane is a selector given in the s field while _domainkey is a fixed part of the protocol. There are no CAs nor revocation lists involved in DKIM key management, and the selector is a straightforward method to allow signers to add and remove keys whenever they wish—long lasting signatures for archival purposes are outside DKIM’s scope. Some more tags are visible in the example:

  • v is the version,
  • a is the signing algorithm,
  • d is the domain,
  • s is the selector,
  • c is the canonicalization algorithm(s) for header and body,
  • q is the default query method,
  • l is the length of the canonicalized part of the body that has been signed,
  • t is the signature timestamp,
  • x is its expire time, and
  • h is the list of signed header fields, repeated for fields that occur multiple times.

The data returned from the query is also a list of tag-value pairs. It includes the domain’s public key, along with other key usage tokens and flags. The receiver can use this to then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail was signed by the indicated domain and has not been tampered with in transit.

Signature verification failure does not force rejection of the message. Instead, the precise reasons why the authenticity of the message could not be proven should be made available to downstream and upstream processes. Methods for doing so may include sending back an FBL message, or adding an Authentication-Results header field to the message.

Advantages

The primary advantage of this system for e-mail recipients is it allows the signing domain to reliably identify a stream of legitimate email, thereby allowing domain-based blacklists and whitelists to be more effective. This is also likely to make certain kinds of phishing attacks easier to detect.

There are some incentives for mail senders to sign outgoing e-mail:

  • It allows a great reduction in abuse desk work for DKIM-enabled domains if e-mail receivers use the DKIM system to identify forged e-mail messages claiming to be from that domain.
  • The domain owner can then focus its abuse team energies on its own users who actually are making inappropriate use of that domain.

Use with spam filtering

DKIM is a method of labeling a message, and it does not itself filter or identify spam. However, widespread use of DKIM can prevent spammers from forging the source address of their messages, a technique they commonly employ today. If spammers are forced to show a correct source domain, other filtering techniques can work more effectively. In particular, the source domain can feed into a reputation system to better identify spam. Conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a receiving system has a whitelist of known good sending domains, either locally maintained or from third party certifiers, it can skip the filtering on signed mail from those domains, and perhaps filter the remaining mail more aggressively.

Anti-phishing

DKIM can be useful as an anti-phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. The best way to determine the set of domains that merit this degree of scrutiny remains an open question. DKIM used to have an optional feature called ADSP that lets authors that sign all their mail self-identify, but it was demoted to historic status in November 2013. Instead, DMARC can be used for the same purpose and allows domains to self-publish which techniques (including SPF and DKIM) they employ, which makes it easier for the receiver to make an informed decision whether a certain mail is spam or not. Using DMARC, GMail for example rejects all emails from eBay and PayPal that are not authenticated.

Compatibility

Because it is implemented using DNS records and an added header field, DKIM is compatible with the existing e-mail infrastructure. In particular, it is transparent to existing e-mail systems that lack DKIM support.

This design approach also is compatible with other, related services, such as the S/MIME and OpenPGP content-protection standards. DKIM is compatible with the DNSSEC standard and with SPF.

Protocol overhead

DKIM requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not otherwise required for e-mail delivery. This additional computational overhead is a hallmark of digital postmarks, making sending bulk spam more (computationally) expensive. This facet of DKIM may look similar to hashcash, except that the receiver side verification is not a negligible amount of work.

Weaknesses

DKIM signatures do not encompass the message envelope, which holds the return-path and message recipients. Since DKIM does not attempt to protect against mis-addressing, this does not affect its utility. A concern for any cryptographic solution would be message replay abuse, which bypasses techniques that currently limit the level of abuse from larger domains. Replay can be inferred by using per-message public keys, tracking the DNS queries for those keys and filtering out the high number of queries due to e-mail being sent to large mailing lists or malicious queries by bad actors. For a comparison of different methods also addressing this problem see e-mail authentication.

Arbitrary forwarding

As mentioned above, authentication is not the same as abuse prevention. An evil email user of a reputable domain can compose a bad message and have it DKIM-signed and sent from that domain to any mailbox from where he can retrieve it as a file, so as to obtain a signed copy of the message. Use of the l tag in signatures makes doctoring such messages even easier. The signed copy can then be forwarded to a million recipients, for example through a botnet, without control. The email provider who signed the message can block the offending user, but cannot stop the diffusion of already-signed messages. The validity of signatures in such messages can be limited by always including an expiration time tag in signatures, or by revoking a public key periodically or upon a notification of an incident. Effectiveness of the scenario can hardly be limited by filtering outgoing mail, as that implies the ability to detect if a message might potentially be useful to spammers.

Content modification

DKIM currently features two canonicalization algorithms, simple and relaxed, neither of which is MIME-aware. Mail servers can legitimately convert to a different character set, and often document this with X-MIME-Autoconverted header fields. In addition, servers in certain circumstances have to rewrite the MIME structure, thereby altering the preamble, the epilogue, and entity boundaries, any of which breaks DKIM signatures. Only plain text messages written in us-ascii, provided that MIME header fields are not signed, enjoy the robustness that end-to-end integrity requires.

Annotations by mailing lists

The problems might be exacerbated when filtering or relaying software makes changes to a message. Without specific precaution implemented by the sender, the footer addition operated by most mailing lists and many central antivirus solutions will break the DKIM signature. A possible mitigation is to sign only designated number of bytes of the message body. It is indicated by l tag in DKIM-Signature header. Anything added beyond the specified length of the message body is not taken into account while calculating DKIM signature. This won’t work for MIME messages.

Another workaround is to whitelist known forwarders, e.g. by SPF. For yet another workaround, it was proposed that forwarders verify the signature, modify the email, and then re-sign the message with a Sender: header. However, it should be noted that this solution has its risk with forwarded 3rd party signed messages received at SMTP receivers supporting the ADSP protocol. Thus, in practice, the receiving server still has to whitelist known message streams.

Subscribe to get new posts in your mailbox.

Leave a Reply