DomainKeys Identified Mail (DKIM)
Q.Explain DKIM?
Ans:DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.The organization is a handler of the message, either as its originator or as an intermediary.Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author's From: field.
DKIM defines an authentication mechanism for email, using:
a.A domain name identifier
b.Public-key cryptography
c.A DNS-based public key publishing service.
An agent in the message transit path can sign the message content and selected header fields. The signature information is placed into a field of the RFC2822 message header.Validation of the signature, by a later agent in the path, demonstrates that the signing identity took responsibility for the message.There also are mechanisms for listing formal assertions about the signature or the message. This publicly registers the signing organization’s message signing practices.
Q.How DKIM works ?
Ans:DKIM allows a signer to attach a digital signature to each message that is being sent. Any verifier receiving a message can easily determine whether the domain that claimed to have signed the message actually did.For example, if you receive a message that has a valid signature from your bank, you can be quite certain that your bank actually did sign that message. The signature can also be used to validate that the contents of the message have not been altered since it was signed.
The underlying technology is called public key cryptography (you may also see this called "asymmetric cryptography").
Here we have two keys, called the public key and the private key. The private key can be used to sign the message, and it must be kept secret. But the public key can only be used to verify the signature, and hence can be widely published. Someone having only the public key cannot create a false signature. A signer simply signs messages using its private key and publishes the public key using DNS (the existing Internet system used to convert domain names to numerical addresses, allowing you to type in "eduinkerala.com" rather than its IP address.
The signature itself is included in the header of the message (the portion at the top which includes the sender name, the date of the message, and the message subject). Most end users won't even see this header field.
Sending Servers
1.There are two steps to signing an email with DKIM:
2.The domain owner generates a public/private key pair to be used for signing outgoing messages (multiple key pairs are allowed).
3.The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.
4.When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal
Receiving Servers
1.The DKIM-enabled receiving email server extracts the signature and claimed From: domain from the email headers.
2.The public key is retrieved from the DNS system for the claimed From: domain.
3.The public key is used by the receiving mail system to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the 4.permission of, the claimed domain and that the message headers and content have not been altered during transit.
The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.
Ans:DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.The organization is a handler of the message, either as its originator or as an intermediary.Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author's From: field.
DKIM defines an authentication mechanism for email, using:
a.A domain name identifier
b.Public-key cryptography
c.A DNS-based public key publishing service.
An agent in the message transit path can sign the message content and selected header fields. The signature information is placed into a field of the RFC2822 message header.Validation of the signature, by a later agent in the path, demonstrates that the signing identity took responsibility for the message.There also are mechanisms for listing formal assertions about the signature or the message. This publicly registers the signing organization’s message signing practices.
Q.How DKIM works ?
Ans:DKIM allows a signer to attach a digital signature to each message that is being sent. Any verifier receiving a message can easily determine whether the domain that claimed to have signed the message actually did.For example, if you receive a message that has a valid signature from your bank, you can be quite certain that your bank actually did sign that message. The signature can also be used to validate that the contents of the message have not been altered since it was signed.
The underlying technology is called public key cryptography (you may also see this called "asymmetric cryptography").
Here we have two keys, called the public key and the private key. The private key can be used to sign the message, and it must be kept secret. But the public key can only be used to verify the signature, and hence can be widely published. Someone having only the public key cannot create a false signature. A signer simply signs messages using its private key and publishes the public key using DNS (the existing Internet system used to convert domain names to numerical addresses, allowing you to type in "eduinkerala.com" rather than its IP address.
The signature itself is included in the header of the message (the portion at the top which includes the sender name, the date of the message, and the message subject). Most end users won't even see this header field.
Sending Servers
1.There are two steps to signing an email with DKIM:
2.The domain owner generates a public/private key pair to be used for signing outgoing messages (multiple key pairs are allowed).
3.The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.
4.When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal
Receiving Servers
1.The DKIM-enabled receiving email server extracts the signature and claimed From: domain from the email headers.
2.The public key is retrieved from the DNS system for the claimed From: domain.
3.The public key is used by the receiving mail system to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the 4.permission of, the claimed domain and that the message headers and content have not been altered during transit.
The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.
Q.Who validates the DKIM signature?
Ans:After a message has been signed, any agent in the message transit path can choose to validate the signature. Typically, validation will be done by an agent in the ADMD of the message recipient. Again, this may be done by any functional component within that environment. Notably this means that the signature can be used by the recipient ADMD's filtering software, rather than requiring the recipient end-user to make an assessment.
What is a DKIM "selector"?
Ans:A selector is added to the domain name, used to find DKIM public key information. It is specified as an attribute for a DKIM signature, and is recorded in the DKIM-Signature header field.
Validation uses the selector as an additional name component, to give differential DNS query names. There are different DKIM DNS records associated with different selectors, under the same domain name.
For example:
Ans:After a message has been signed, any agent in the message transit path can choose to validate the signature. Typically, validation will be done by an agent in the ADMD of the message recipient. Again, this may be done by any functional component within that environment. Notably this means that the signature can be used by the recipient ADMD's filtering software, rather than requiring the recipient end-user to make an assessment.
What is a DKIM "selector"?
Ans:A selector is added to the domain name, used to find DKIM public key information. It is specified as an attribute for a DKIM signature, and is recorded in the DKIM-Signature header field.
Validation uses the selector as an additional name component, to give differential DNS query names. There are different DKIM DNS records associated with different selectors, under the same domain name.
For example:
edu._domainkey.eduinkerala.com
Q.How is a DKIM signature recorded in a message.
Ans:A DKIM signature is recorded as an RFC2822 header field for the signed message.
For example:
DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
Comments
Post a Comment