DKIM is Not as Difficult as They Would Have You Believe
Date: 18 January 2018
If you want to guarantee the integrity of your email communications you must consider implementing DKIM or DomainKeys Identified Mail. DKIM often gets a bad rap as being too complicated to be considered as a implementable email security solution due to its raw use of asymmetric encryption. Yet, not only is it incredibly simple but when configured correctly, it can guarantee the integrity of emails between sender and recipient, transparently to both parties.
What is DKIM and how does it work?
DKIM focuses on the integrity portion of the classic CIA (Confidentiality, Integrity and Availability) triad. When an email is sent from a sending email server, DKIM is achieved via the following steps:
1. During the initial configuration of DKIM, a private and public key is generated. The private key is stored on the sending email server and the public key is placed into the sending email domain DNS.
Sample DKIM key: k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGMjj8MVaESl30KSPYdLaEreSYzvOVh15u9YKAmTLgk1ecr4BCRq3Vkg3Xa2QrEQWbIvQj9FNqBYOr3XIczzU8gkK5Kh42P4C3DgNiBvlNNk2BlA5ITN/EvVAn/ImjoGq5IrcO+hAj2iSAozYTEpJAKe0NTrj49CIkj5JI6ibyJwIDAQAB
2. When an email is ready to be sent, the sending email server will create an MD5 hash value of the content of the email header (or header + body).
3. The MD5 hash is then encrypted using the private key being held by the sending server. The result of this encryption function is then inserted into the email.
4. The email is sent from the sending server to the recipient email server.
5. The recipient email server will look at the sending email domain and find the public key in that sending email domains DNS records.
6. The encrypted hash value is decrypted and is compared to a new MD5 hash of the email header (or header + body).
7. A match indicates there has been no tampering during transmission and that the sending email domain is indeed the owner of that domain.
What are the Benefits?
DKIM provides two major benefits on its own merits.
Firstly, it can be used to guarantee the email header and body have not been tampered with by way of the MD5 hash. If the hash on the recipient server matches that which was generated by the sending server, then it is indisputable that the email has maintained its integrity.
As a second benefit, the successful decryption of that MD5 hash using a public key found in the sending email domain DNS, proves that the sending email domain is not spoofed. As they have created a corresponding article of proof by way of a DNS record.
How does this fit in with DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email security DNS tool which instructs recipient emails on how to deal with suspected fraudulent emails.
It does this by leveraging two other types of email DNS security mechanisms, SPF (Sender Policy Framework) and DKIM. If an email fails either one of these checks, DMARC can instruct the recipient server to either accept, quarantine or reject the email, whilst reporting these actions back to a nominated email address.
DMARC takes what are defensive technologies and adds a layer of visibility and reporting.
If you would like more information about DMARC and how, when paired with DKIM it can create a sophisticated anti-spoofing and detection tool, try our DMARC mind map.