What I will be writing here is to explain DKIM in the most simplified technical way. I won’t be explaining on encryption algorithm but I will be telling you what algorithm is used, etc. Ready? Let’s roll!
Key function of DKIM.
The different of DKIM compare to many other authentication method is that it is using public key cryptography. According to my research, at the present only RSA algorithm is defined. Below is a diagram of the process overview.
2) 2) The sending Mail server digitally signed the out-going mail message. Lots of work happened here. Let’s look into it a little bit more in details.
- 1) The signature is protected by conformance the body of the message to a specification to prevent transmission modification then hased using default SHA-256.
- 2) The signer chooses the message header fields to be included in the signature.
- 3) A new header called “DKIM-Signature” is created. This header contain information of the specification the body message is conformance to, the message header field choosen by the signer, name of the signing domain, the body hash, and a selector . (Selector enable a domain to have multiple keys to be use for authentication.)
- The header fields being signed and the DKIM-Signature field itself are then canonicalized and hashed.
- An RSA signature is computed on that hash, and the signature is inserted back into the DKIM-Signature field.
- The full DKIM-Signature field is then added to the header of the message, and the modified message is sent.
3) The verifier gets the public key from the alleged signer using a DNS lookup based on the domain and selector name in the DKIM-Signature header field, and uses that to verify that the signature in the message is legitimate.
4) If the authentication is successful, the MTA deliver the message to the end user mailbox.
Isn’t it nice to know that there is such a simple and cool technology around?