DKIM: Everything You Need to Know About Digital Signatures
DomainKeys Identified Mail (DKIM) allows senders to associate a domain name with an email message, thus vouching for its authenticity.
A sender creates the DKIM by “signing” the email with a digital signature. This “signature” is located in the message’s header. The sending mail transfer agent (MTA) generates the signature by using an algorithm applied to the content of the signed fields. This algorithm creates a unique string of characters, or a “hash value.”
When the MTA generates the signature, the public key used to generate it is stored at the listed domain. After receiving the email, the recipient MTA can verify the DKIM signature by recovering the signer’s public key through DNS. The recipient MTA then uses that key to decrypt the hash value in the email’s header and simultaneously recalculate the hash value for the mail message it received. If these two keys match, then the email has not been altered, giving users some security knowing that the email did originate from the listed domain, and that nothing has modified it since it was sent.
If you want to test your DKIM, Email on Acid’s spam testing tool includes a DKIM check. If you sign up for our free, seven-day trial you can try our platform today and check it out.
Does DKIM Filter Email?
No, it doesn’t. However, the information it provides does help filters that the receiving domain sets up. For instance, if the email is from a trusted domain and can be successfully verified through DKIM, the email may have its spam score reduced. If the email’s DKIM signature cannot be verified (because the email was faked or for another reason), the email might be marked as spam and either be quarantined or have a spam tag added to the subject line (to warn recipients that the email is suspect).
Gmail, for instance, does not deliver emails from eBay.com or Paypal.com if the DKIM signature cannot be successfully verified because of the likelihood that the email is a phishing attack.
How Can I Test My DKIM?
Email on Acid offers DKIM testing as part of our spam testing suite.
You can also test DKIM by sending an email to a Gmail account. Open the email in the Gmail web app, click on the down arrow next to the “reply” button (top right of email), and select “show original.” In the original, if you see “signed-by: your domain name” then your DKIM signature is good.
What Result do I Want from DKIM?
For the most part, DKIM is binary; either it’s working and your signature can be verified (see “pass” below) or there is a problem. If your signature is working, there’s no need to read any further. If you’re experiencing errors, we have a few tips that may help you diagnose the problem.
How Can I Read the DKIM Header?
Here is an example DKIM signature (recorded as an RFC2822 header field) for the signed message:
DKIM-Signature a=rsa-sha1; q=dns;
Let’s take this piece by piece to see what it means. Each “tag” is associated with a value.
- b = the actual digital signature of the contents (headers and body) of the mail message
- bh = the body hash
- d = the signing domain
- s = the selector
- v = the version
- a = the signing algorithm
- c = the canonicalization algorithm(s) for header and body
- q = the default query method
- l = the length of the canonicalized part of the body that has been signed
- t = the signature timestamp
- x = the expire time
- h = the list of signed header fields, repeated for fields that occur multiple times
We can see from this email that:
- The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR.
This signature is matched with the one stored at the sender’s domain.
- The body hash is not listed.
- The signing domain is example.com.
This is the domain that sent (and signed) the message.
- The selector is jun2005.eng.
- The version is not listed.
- The signing algorithm is rsa-sha1.
This is the algorith used to generate the signature.
- The canonicalization algorithm(s) for header and body are relaxed/simple.
- The default query method is DNS.
This is the method used to look up the key on the signing domain.
- The length of the canonicalized part of the body that has been signed is not listed.
The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
- The signature timestamp is 1117574938.
This is when it was signed.
- The expire time is 1118006938.
Because an already signed email can be reused to “fake” the signature, signatures are set to expire.
- The list of signed header fields includes from:to:subject:date.
This is the list of fields that have been “signed” to verify that they have not been modified.
What Do the Results of My Email on Acid DKIM Test Mean?
The possible results for your DKIM test are:
- pass = ‘The message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests.’
This is the result you want to see. Everything worked perfectly.
- fail = ‘The message was signed and the signature or signatures were acceptable, but they failed the verification test(s).’
This means that the message had a signature, and the signature was formed correctly, but didn’t match the signature of the sending domain. This probably means the message was modified somewhere along the way.
- none = ‘The message was not signed’
This means that the message had no DKIM signature. This is not the same as failing.
- policy = ‘The message was signed but the signature or signatures were not acceptable.’
DKIM can be configured to be more or less stringent in what is an acceptable match. A “policy” error means that the message was signed and correctly formed, but didn’t meet the policy requirements of the recipient.
- neutral = ‘The message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed.’
The message was signed, but it was not formed correctly. This is possibly a configuration error on the sending domain side.
- temperror = ‘The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.’
This error indicates that there was a short-term problem verifying the signature. Feel free to try again. Repeated problems with this may indicate a DNS or lookup failure on the sending domain.
- permerror = ‘The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result.’
The signature (or some part of it) was missing from the recieved message, which caused a failure. This indicates that either the header was formed incorrectly or it was modified after being sent.
Test Your Email
Making changes to your DKIM signature or modifying how you send emails can have an adverse effect on how your email displays. That’s why it’s important to test your email before you hit “send.” With Email on Acid, you can start testing today with our free, seven-day trial.
Author: Email on Acid
The Email on Acid blog is on a mission to share email best practices, industry news, and solutions to most annoying email client bugs. Plus, we like to have a little fun along the way. Learn how to join the party and contribute to our blog.