DomainKeys Identified Mail

From Seo Wiki - Search Engine Optimization and Programming Languages

Jump to: navigation, search

DomainKeys Identified Mail (DKIM) is a method for email authentication that allows an organization to take responsibility for a message in a way that can be validated by a recipient. The organization can be a direct handler of the message, such as the author, the originating sending site or an intermediary along the transit path; or an indirect handler, such as an independent service that is providing assistance to a direct handler. The need for this type of authentication originally arose because spam often has forged content. For example, a spam message may claim in its "From:" header field to be from, when it is not from that address, and the spammer's goal is to convince the recipient to accept and to read the email. Because the email is not from the domain, complaining there is not useful. It also becomes difficult for recipients to establish whether to trust or distrust any particular domain, and system administrators may have to deal with complaints about spam that appears to have originated from their systems, but did not.

DKIM uses public-key cryptography to allow the signer to electronically sign legitimate emails in a way that can be verified by recipients. Prominent email service providers implementing DKIM include Yahoo, Gmail, and FastMail. Any mail from these organizations should carry a DKIM signature.[1][2][3][4]

DKIM also guards against tampering with mail, offering end-to-end integrity from a signing module to a verifying module, such as a mail transfer agent (MTA). In most cases the signing module acts on behalf of the author organization by inserting a DKIM-Signature header field, and the verifying module on behalf of the receiver organization, validating the signature by retrieving a signer's public key through the DNS.

DKIM, as stated by the DKIM Organization's homepage, is the result of merging DomainKeys and Identified Internet Mail. This merged specification has been the basis for an IETF Working Group which has produced a series of standards-track specifications and support documents.



DKIM is a method of e-mail authentication. Unlike some other methods, it offers end-to-end integrity from a signing module to a verifying module, such as a Mail Transfer Agent (MTA). In most cases the signing module acts on behalf of the sender organization and the verifying module on behalf of the receiver organization. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures.

DKIM is independent of Simple Mail Transfer Protocol (SMTP) routing aspects in that it operates on the RFC 5322 message — the transported mail's header and body — not the SMTP envelope defined in RFC 5321.

DKIM allows the signer to distinguish its legitimate mail stream; it does not directly prevent or disclose abusive behavior. This ability to distinguish legitimate mail from potentially forged mail has benefits for recipients of e-mail as well as senders, and "DKIM awareness" is programmed into some e-mail software.

How it works

DKIM adds a header field named "DKIM-Signature" that contains a digital signature of the contents (headers and body) of the mail message. The default parameters for the authentication mechanism are to use SHA-256 as the cryptographic hash and RSA as the public key encryption scheme, and encode the encrypted hash using Base64.

The receiving SMTP server uses the name of the domain from which the mail originated, the string "_domainkey", and a selector from the DKIM-Signature field to perform a DNS lookup. The returned data includes the domain's public key. The receiver can use this to then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail was signed by the indicated domain and has not been tampered with in transit.

Signature verification failure does not force rejection of the message. Instead, the precise reasons why the authenticity of the message could not be proven should be made available to downstream and upstream processes. Methods for doing so may include sending back an FBL message, or adding an Authentication-Results header to the message as described in RFC 5451.


DomainKeys was designed by Mark Delany of Yahoo! and enhanced through comments from many others.

DKIM was initially produced by an informal industry consortium and was then submitted for enhancement and standardization by the IETF DKIM Working Group, chaired by Barry Leiba and Stephen Farrell, with Eric Allman of sendmail, Jon Callas of PGP Corporation, Mark Delany and Miles Libbey of Yahoo!, and Jim Fenton and Michael Thomas of Cisco Systems attributed as primary authors.

DomainKeys is covered by U.S. Patent 6,986,049 assigned to Yahoo!, which has released DomainKeys under a dual license scheme: the traditional corporate-oriented royalty-free, nonexclusive, relicensable patent license designed to be friendly to open source and free software implementations, and under GPL 2.0 for the purpose of the DKIM IETF Working Group.


Personal tools

Served in 0.372 secs.