DNS /

DomainKeys Identified Mail

Introduction

DomainKeys Identified Mail (DKIM) is used to detect if an e-mail is spoofed (forged). It's used to prevent spam and phishing. Signing your mail with DKIM will help detect spam that pretends to come from your domain. It also ensures that your letters pass spam filter checks. Otherwise, letters you send may not end up in the inbox.

An email is signed with a private key. This allows the receiver to check if the email comes from the domain it claims to be from. The receiver looks up the sender's public key in the domain's DNS record. A valid signature guarantees that the sending mail server has access to the private key and that the email body has not been tampered with during transit.

DKIM, SPF, and DMARC are designed to work together.

DKIM Header

In our setup, the mail server will sign the message with its private key. Here is what the DKIM header looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=mail; bh=gVJEBqfjoVwtQhV
        vV3FHh0UQBW0m9unTpuaaGORFGKI=; h=subject:date:from;
        d=example.com; b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjg
        Am5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8jO5O0xMhblyS
        PbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2tPBa70t9204na8/eOT6N7
        8IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5I
        WREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw8
        IHJTdENGGL3p7aM1v8wdg==
TagIndicatesExample
vversionv=1
aalgorithma=rsa-sha256
ddomaind=example.com
sselectors=mail
ccanonicalization algorithmc=simple/simple
hheader fieldsh=subject:date:from
bhbody hashbh=gVJEBqfjoVwtQhVvV3FHh0UQBW0m9unTpuaaGORFGKI=
bsignatureb=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rku
KYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8j
O5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs
7tS1m8iZo2tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61
t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5
IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR
2U1ZEQyo7k03KCJbdRVw8IHJTdENGGL3p7aM1v8wdg==

Tip: Many mail clients let you view the mail headers in the email you receive. If you display all headers, you can see the DKIM header.

A receiving SMTP server will perform a DNS lookup based on the domain name and selector. In the example above, it will look up the TXT record of mail._domainkey.example.com. This TXT record returned should look like below:

"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy
MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3
GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"

Security Notes

DKIM-signatures can be used to prove that a mail server sent a letter.

Note that DKIM does not provide end-to-end integrity. For this, both sender and receiver will need to use PGP?.

OpenSMTPd and DKIM

For OpenSMTPd to sign its mail with DKIM, you will need to create a public and private DKIM key:

$ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign
$ openssl genrsa -out private.key 1024
$ openssl rsa -in private.key -pubout -out public.key
$ chmod og-rwx private.key
$ chmod og-wx public.key
$ chmod u-w public.key private.key
$ doas mkdir /etc/mail/dkim
$ doas mv private.key public.key /etc/mail/dkim/
$ doas chown -R _smtpd:_dovecot /etc/mail/dkim/

We then create a DKIM record by taking the public key, removing the first and last line, then joining all the lines together:

$ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -

Running this command on public.key should produce text like the following:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB

This key should go into the DKIM DNS records:

_adsp._domainkey   86400   IN      TXT     "dkim=discardable;"
mail._domainkey   86400   IN      TXT     "k=rsa; t=s; p=<public key>"

The final result should look like this:

_adsp._domainkey   86400   IN      TXT     "dkim=discardable;"
mail._domainkey   86400   IN      TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB"