DKIM SIMPLIFIED ( Part 2 – Technical View)

DKIM SIMPLIFIED ( Part 2 – Technical View)

What I will be writing here is to explain DKIM in the most simplified technical way. I won’t be explaining on encryption algorithm but I will be telling you what algorithm is used, etc. Ready? Let’s roll!

Key function of DKIM.

The different of DKIM compare to many other authentication method is that it is using public key cryptography. According to my research, at the present only RSA algorithm is defined. Below is a diagram of the process overview.

1) 1) The domain with DKIM implemented published a public key in its DNS record.

2) 2) The sending Mail server digitally signed the out-going mail message. Lots of work happened here. Let’s look into it a little bit more in details.

- 1) The signature is protected by conformance the body of the message to a specification to prevent transmission modification then hased using default SHA-256.

- 2) The signer chooses the message header fields to be included in the signature.

- 3) A new header called “DKIM-Signature” is created. This header contain information of the specification the body message is conformance to, the message header field choosen by the signer, name of the signing domain, the body hash, and a selector . (Selector enable a domain to have multiple keys to be use for authentication.)

- The header fields being signed and the DKIM-Signature field itself are then canonicalized and hashed.

- An RSA signature is computed on that hash, and the signature is inserted back into the DKIM-Signature field.

- The full DKIM-Signature field is then added to the header of the message, and the modified message is sent.

3) The verifier gets the public key from the alleged signer using a DNS lookup based on the domain and selector name in the DKIM-Signature header field, and uses that to verify that the signature in the message is legitimate.

4) If the authentication is successful, the MTA deliver the message to the end user mailbox.

Isn’t it nice to know that there is such a simple and cool technology around?

DKIM SIMPLIFIED Part 1 of 2

DKIM SIMPLIFIED ( Part 1 – Introduction/Functional understanding)

Hope you guys have a good understanding on the video posted previously. I am also hoping that I had understanding it well so as not to mess it up on a summary write up here. I will do a summary with Introduction, the functional & technical overview.

Introduction

Domain Key Indentified Mail (DKIM) is a signature/cryptography based authentication technology based on Yahoo!s DomanKeys e-mail authentication technology and Cisco’ Identified Mail. DKIM provide recipient of mail a better way of checking the authenticity of the source of the mail. Beside DKIM, there are also Sender Policy Framework (SPF), Sender ID, etc. But SPF and SenderID are path based and DKIM is the main cryptography based authentication method. DKIM used private and public key for verification which is the key different to the other technology. With the usage of private key, it is not possible for spammer or unauthorized personnel to steal the identity of a particular domain. It is important to know that DKIM work on the domain portion and doesn’t verify on who is sending the mail behind the domain.

Functional Overview

It is relatively simple to understand how DKIM work. Taking the below example;
John sent Mary a mail. In the mail, he attached a public key. When Mary received the mail, she would use the public key to verify against the private key. Since it is a private key, only John has it and only if the two key matches each other, then it is proven that the mail had indeed been sent by John. If during transition, the mail has been tamper or if the public key do not match the private key the receiving MTA checking for DKIM signature will discard the mail.

The benefit of deploying DKIM is huge and one important reason that explains the rapid increase of use in DKIM is that it is free! With the increasing number of organizations and companies using DKIM, user are able to see less spam in their inbox as these would be drop before being process by the mail server. These also help improve the performance of the mail server and network traffic. With DKIM, spammer would have a hard time spoofing the identity of a sender domain and the integrity of the mail received is also maintained.

(End Part 1 of 2)

DKIM - Explained..

Come across this video when i was browsing the net. Posted by googletechtalks in YouTube. I think it is nice so thought of sharing.

Understanding DKIM

Take your time to view the video. I will be doing a summary write up on DKIM in my next write up.

Backscatter .... the silent weapon of spammer....

I had just did a report for one of the organisation, show the mail traffic and they were impress by the amount of volume passing through their mail server. With just a user size of 200 +/-, the MTA are processing 11000 mail in a day! Now this is a very busy company, or is it?

The answer is "NO". Infact, out of this 11000 mails, approximately 8500 of them are backscatter mail and additional 500 of them are spam that slip past their anti spam appliance and only 2000 are legitimate mails. So what is this backscatter mail about?

Backscatter mail are basically bounced mail cause by an failure in delivery. It can also be named as "Delivery Failure Notification" or "DFN". At this point, i can see that the system and network administrator are showing a face of worried. They are probably thinking if the network been "hacked" or has the network been part of an zombie network blasting out thousand of mails a day and therefore resulting in such number of "DFN". Indeed the next question that came from them is that what is causing the large number of "DFN" and can they see who is the user that is sending out those mail? I am sure my reply had make them felt at ease.

These "DFN" are not caused by mail sending out through their network. These "DFN" are casued by spammer spoofing their emails and blasting out to thousand and thousand of users out in the world where internet exist. Take for example;

Spammer A sent a mail from to "Invaliduser@yourdomain.com" then at the "from" line of his messages, he put "spoofemail@yourdomain.com".

What happen is that, when the email reached "Invaliduser@yourdomain.com" network, high chances is that it will reply with a message to tell that the user is invalid. When that happen, instead of returning the mail to the spammer, the mail will be return to the MX record of "youremail@yourdomain.com" domain.

The second reason that the MTA is processing 8500 of DFN is also because that when the DFN came in to inform "spoofemail@yourdomain.com" that the mail fail to be sent, the anti spam appliance didn't drop the DFN mails. This is an architecture error.

What should happen here is that both the recipient and sender network should have drop the mail for invalid user instead of processing it. When the mail first reached "Invaliduser@yourdomain.com" network, the MTA should reply with an "5XX" error code and reject it. Same for the MTA at "spoofemail@yourdomain.com" domain. When the DFN came it for the user "spoofemail", the MTA should reply with an "5xx" error code to the anti spam appliance and drop/reject the mail without processing. It should be highly encourage that MTA should reject a mail for invalid recipient instead of giving out reply of "4xx", etc. This will help not only your network but also many others network in the world.

I hope this simple write up could help some administrators out there clear their doubts on backscatter mails.