DomainKeys Identified Mail (DKIM) is basically used for E-mail authentication. The aim of domain keys is to detect whether emails come from their claimed domain. DomainKeys is a rapidly emerging Internet standard mainly used by Yahoo Mail as well as Gmail. Yahoo has even acquired the patents (U.S. Patent 6,986,049) for DomainKeys. Compared to the normal method of email authentication, Domain Keys offers almost end-to-end integrity from a signing Mail Transfer Agent (MTA) to a verifying MTA. The basic working of Domain Keys can be summarized as follows:
The signing MTA will insert a header named “DomainKey-Signature” that contains a digital signature of the contents of the mail message. The common authentication mechanism is to use SHA-1 as the cryptographic hash and RSA as the public key encryption scheme, encrypted hash is encoded using base64. After that the signature validation is done by retrieving the sender’s public key through the DNS. That is the receiving SMTP server uses the name of the domain from which the mail originated, the string _domainkey, and a selector from the header to perform a DNS lookup. The returned data will include the domain’s public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail body that was received, from the point immediately following the “DomainKey-Signature” header. If the two values match, this cryptographically verifies that the email originated at the correct domain and has not been tampered with in transit. DomainKeys is independent of Simple Mail Transfer Protocol (SMTP) outing aspects which uses the transported mail data, header and message body.
- Domain Keys makes it easier to detect phishing attacks. Also it will be lot more easier to blacklist or whitelist the domains based on the mails they send out.
- Forged e-mail messages can be easily detected and avioded by end-user e-mail software (mail user agents), or by ISPs’ MTA.
- If the content of a genuine mail gets modified during its transit, then the signature will not be valid and message may be rejected.
- DomainKeys requires cryptographic checksums to be generated for each message sent through a mail server, which results in computational overhead not otherwise required for normal e-mail delivery.
Article Authored by Emin V
Author, Emin, is a Systems Engineer with SupportPRO. Emin specializes in Cpanel and Server Monitoring. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.