DomainKeys Identified Mail – Wikipedia

Email authentication method designed to detect e-mail spoof

DomainKeys Identified Mail ( DKIM ) is an e-mail authentication method designed to detect forge sender addresses in electronic mail ( electronic mail spoof ), a technique frequently used in phishing and e-mail spam. DKIM allows the liquidator to check that an electronic mail claimed to have come from a specific world was indeed authorized by the owner of that domain. [ 1 ] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing e-mail message. The recipient system can verify this by looking up the sender ‘s public key published in the DNS. A valid signature besides guarantees that some parts of the e-mail ( possibly including attachments ) have not been modified since the signature was affixed. [ 2 ] Usually, DKIM signatures are not visible to end-users, and are affixed or verified by the infrastructure quite than the message ‘s authors and recipients.

DKIM is an Internet Standard. [ 3 ] It is defined in RFC 6376, dated September 2011 ; with updates in RFC 8301 and RFC 8463 .

overview [edit ]

The indigence for electronic mail validated identification arises because forged addresses and subject are otherwise easily created—and widely used in spam, phishing and early email-based fraud. [ 4 ] For case, a fraudster may send a message claim to be from sender@example.com, with the goal of convincing the recipient to accept and to read the email—and it is unmanageable for recipients to establish whether to trust this message. system administrators besides have to deal with complaints about malicious e-mail that appears to have originated from their systems, but did not. [ 5 ] DKIM provides the ability to sign a message, and allows the signer ( author arrangement ) to communicate which email it considers legitimate. It does not directly prevent or disclose abusive behavior. DKIM besides provides a procedure for verifying a bless message. Verifying modules typically act on behalf of the receiver organization, possibly at each hop. All of this is freelancer of simple Mail Transfer Protocol ( SMTP ) routing aspects, in that it operates on the RFC 5322 message—the transported chain mail ‘s heading and body—not the SMTP “ envelope ” defined in RFC 5321. Hence, DKIM signatures survive basic relaying across multiple MTAs .

Technical details [edit ]

Signing [edit ]

The sign administration can be a direct coach of the message, such as the generator, the meekness web site or a far mediator along the transit path, or an indirect coach such as an independent service that is providing aid to a mastermind handler. Signing modules insert one or more DKIM-Signature: header fields, possibly on behalf of the author organization or the originate service supplier. The stipulation allows signers to choose which heading fields they sign, but the From: field must constantly be signed. [ 6 ] [ 7 ] The resulting header field consists of a list of tag=value parts as in the case below :

 DKIM-Signature : v=1; a=rsa-sha256; d= example.net; s=brisbane;
c=relaxed/simple; q=dns/txt;  i=foo @ eng.example.net;
t=1117574938; x=1118006938; l=200;
h=from:to:subject:date:keywords:keywords;
z=From: foo @ eng.example.net|To: joe @ example.com|
Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR

Where the tags used are :

  • v (required), version
  • a (required), signing algorithm
  • d (required), Signing Domain Identifier (SDID)
  • s (required), selector
  • c (optional), canonicalization algorithm(s) for header and body
  • q (optional), default query method
  • i (optional), Agent or User Identifier (AUID)
  • t (recommended), signature timestamp
  • x (recommended), expire time
  • l (optional), body length
  • h (required), header fields – list of those that have been signed
  • z (optional), header fields – copy of selected header fields and values
  • bh (required), body hash
  • b (required), signature of headers and body

The most relevant ones are b for the actual digital touch of the contents ( headers and consistency ) of the mail message, bh for the body hash ( optionally limited to the first gear l octets of the body ), d for the sign domain, and s for the selector. An agent or User Identifier ( AUID ) can optionally be included. The format is an e-mail cover with an optional local-part. The domain must be equal to, or a subdomain of, the sign domain. The semantics of the AUID are intentionally entrust undefined, and may be used by the sign sphere to establish a more powdered sector of province. Both header and body contribute to the signature. First, the message body is hashed, always from the begin, possibly truncated at a given distance ( which may be zero ). second, selected header fields are hashed, in the order given by h. Repeated field names are matched from the buttocks of the heading up, which is the ordain in which Received: fields are inserted in the header. A non-existing field matches the empty string, so that adding a sphere with that name will break the signature. The DKIM-Signature: playing field of the signature being created, with bh equal to the computed body hashish and b equal to the empty string, is implicitly added to the second hash, albeit its name must not appear in h — if it does, it refers to another, preexisting signature. For both hashes, text is canonicalized according to the relevant c algorithm. The result, after encoding with the signer ‘s secret key and encoding using Base64, is b. In addition to the list of header fields listed in h, a list of header fields ( including both playing field name and value ) introduce at the time of bless may be provided in z. This tilt need not match the list of headers in h. Algorithms, fields, and body length are meant to be chosen so as to assure unequivocal message identification while still allowing signatures to survive the ineluctable changes which are going to occur in transportation system. No end-to-end data integrity is implied. [ 2 ]

verification [edit ]

A get SMTP server wanting to verify uses the domain name and the picker to perform a DNS search. [ 8 ] For example, given the exemplar key signature above : the d tag gives the author sphere to be verified against, example.net ; the s tag the picker, brisbane. The string _domainkey is a fix part of the specification. This gives the TXT resource read to be looked up as : brisbane._domainkey.example.net note that the selector and the sphere name can be UTF-8 in internationalize e-mail. [ 9 ] In that case the label must be encoded according to IDNA before search. The data returned from the question of this record is besides a tilt of tag-value pairs. It includes the domain ‘s public key, along with other identify custom tokens and flags ( e.g. from a dominate line : nslookup -q=TXT brisbane._domainkey.example.net ) as in this exemplar :

"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy
MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3
GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"

The recipient can use the populace key ( value of the p tag ) to then validate the signature on the hashish measure in the header field, and check it against the hashish value for the chain mail message ( headers and torso ) that was received. If the two values match, this cryptographically proves that the mail was signed by the argue knowledge domain and has not been tampered with in passage. signature verification failure does not force rejection of the message. rather, the accurate reasons why the authenticity of the message could not be proven should be made available to downstream and upstream processes. Methods for doing therefore may include sending back an FBL message, or adding an Authentication-Results header playing field to the message as described in RFC 7001 .

patent [edit ]

Although DomainKeys is covered U.S. Patent 6,986,049, yokel ! has licensed its patent claims under a dual license outline : the DomainKeys Patent License Agreement v1.2, [ 10 ] or GNU General Public License v2.0 (and no other version). [ 11 ] [ 12 ]

relationship to SPF and DMARC [edit ]

In essence, both DKIM and SPF provide different measures of e-mail authenticity. DMARC provides the ability for an organization to publish a policy that specifies which mechanism ( DKIM, SPF, or both ) is employed when sending electronic mail from that sphere ; how to check the From : playing field presented to end users ; how the receiver should deal with failures—and a report mechanism for actions performed under those policies. [ 13 ]

Advantages [edit ]

The chief advantage of this arrangement for e-mail recipients is in allowing the bless knowledge domain to reliably identify a flow of legitimate electronic mail, thereby allowing domain-based blacklists and whitelists to be more effective. [ 14 ] This is besides probable to make certain kinds of phishing attacks easier to detect. There are some incentives for mail senders to sign outgoing electronic mail :

  • It allows a great reduction in abuse desk work for DKIM-enabled domains if e-mail receivers use the DKIM system to identify forged e-mail messages claiming to be from that domain.
  • The domain owner can then focus its abuse team energies on its own users who actually are making inappropriate use of that domain.

manipulation with spam filter [edit ]

DKIM is a method of labeling a message, and it does not itself filter or identify spam. however, far-flung use of DKIM can prevent spammers from forging the reference address of their messages, a technique they commonly employ today. If spammers are forced to show a right source world, early filtering techniques can work more effectively. In particular, the source sphere can feed into a reputation organization to better identify spam. conversely, DKIM can make it easier to identify mail that is known not to be spam and need not be filtered. If a meet system has a whitelist of known beneficial mail domains, either locally maintained or from one-third party certifiers, it can skip the percolate on sign mail from those domains, and possibly filter the remaining chain mail more aggressively. [ 14 ]
DKIM can be useful as an anti- phishing technology. Mailers in heavily phished domains can sign their mail to show that it is genuine. Recipients can take the absence of a valid signature on chain mail from those domains to be an indication that the mail is probably forged. The best way to determine the fructify of domains that merit this degree of scrutiny remains an open wonder. DKIM used to have an optional feature of speech called ADSP that lets authors that sign all their mail self-identify, but it was demoted to historic condition in November 2013. [ 15 ] rather, DMARC can be used for the lapp determination [ 16 ] and allows domains to self-publish which techniques ( including SPF and DKIM ) they employ, which makes it easier for the receiver to make an inform decision whether a certain mail is spam or not. [ 17 ] For example, using DMARC, eBay and PayPal both publish policies that all of their mail is authenticated, and requesting that any get system, such as Gmail, should reject any that is not. [ 18 ]

compatibility [edit ]

Because it is implemented using DNS records and an add RFC 5322 header field, DKIM is compatible with the existing electronic mail infrastructure. In particular, it is crystalline to existing e-mail systems that lack DKIM support. [ 19 ] This design approach besides is compatible with other, relate services, such as the S/MIME and OpenPGP content-protection standards. DKIM is compatible with the DNSSEC standard and with SPF .

calculation overhead [edit ]

DKIM requires cryptanalytic checksums to be generated for each message sent through a mail waiter, which results in computational overhead not otherwise required for e-mail delivery. This extra computational overhead is a authentication of digital postmarks, making sending bulk spam more ( computationally ) expensive. [ 20 ] This aspect of DKIM may look similar to hashcash, except that the telephone receiver side verification is a negligible sum of sour, while a typical hashcash algorithm would require far more work. [ citation needed ]
DKIM ‘s non-repudiation have prevents senders ( such as spammers ) from credibly denying having sent an electronic mail. It has proven useful to news program media sources such as WikiLeaks, which has been able to leverage DKIM torso signatures to prove that leaked emails were actual and not tampered with—for example definitively repudiating such claims by Hillary Clinton ‘s 2016 US Presidential Election running checkmate Tim Kaine, and DNC Chair Donna Brazile. [ 21 ]

Weaknesses [edit ]

The RFC itself identifies a number of potential attack vectors. [ 22 ] DKIM signatures do not encompass the message envelope, which holds the return-path and message recipients. Since DKIM does not attempt to protect against mis-addressing, this does not affect its utility. A number of concerns were raised and refuted in 2013 at the time of the calibration. [ 23 ] A refer for any cryptanalytic solution would be message replay misuse, which bypasses techniques that presently limit the level of misuse from larger domains. [ clarification needed ] Replay can be inferred by using per-message public keys, tracking the DNS queries for those keys and filtering out the high count of queries due to electronic mail being sent to big mailing lists or malicious queries by bad actors. For a comparison of different methods besides addressing this problem see electronic mail authentication .

arbitrary forwarding [edit ]

As mentioned above, authentication is not the same as abuse prevention. An malefic electronic mail exploiter of a reputable domain can compose a bad message and have it DKIM-signed and sent from that sphere to any mailbox from where they can retrieve it as a file, indeed as to obtain a gestural copy of the message. Use of the l tag in signatures makes doctoring such messages even easier. The sign copy can then be forwarded to a million recipients, for case through a botnet, without control condition. The e-mail provider who signed the message can block the offending drug user, but can not stop the dispersion of already-signed messages. The robustness of signatures in such messages can be limited by always including an passing prison term tag in signatures, or by revoking a populace key sporadically or upon a presentment of an incident. effectiveness of the scenario can hardly be limited by filtering outgoing chain mail, as that implies the ability to detect if a message might potentially be utilitarian to spammers. [ 24 ]

content change [edit ]

DKIM presently features two canonicalization algorithms, bare and relax, neither of which is MIME -aware. [ 25 ] Mail servers can legitimately convert to a different character set, and often document this with X-MIME-Autoconverted header fields. In addition, servers in certain circumstances have to rewrite the MIME social organization, thereby altering the preamble, the epilogue, and entity boundaries, any of which breaks DKIM signatures. entirely plain text messages written in us-ascii, provided that MIME header fields are not signed, [ 26 ] enjoy the robustness that throughout integrity requires. The OpenDKIM Project organized a data collection involving 21 mail servers and millions of messages. 92.3 % of respect signatures were successfully verified, a success rate that drops slightly ( 90.5 % ) when entirely mailing list traffic is considered. [ 27 ]

Annotations by mailing lists [edit ]

The problems might be exacerbated when filtering or relaying software makes changes to a message. Without specific precaution implemented by the sender, the footnote addition operated by most mailing lists and many cardinal antivirus solutions will break the DKIM signature. A possible moderation is to sign lone designate number of bytes of the message body. It is indicated by l tag in DKIM-Signature header. Anything add beyond the pin down duration of the message body is not taken into score while calculating DKIM key signature. This wo n’t work for MIME messages. [ 28 ] Another workaround is to whitelist know forwarders ; e.g., by SPF. For yet another workaround, it was proposed that forwarders verify the key signature, modify the e-mail, and then re-sign the message with a transmitter : heading. [ 29 ] however, this solution has its risk with forward third base party signed messages received at SMTP receivers supporting the RFC 5617 ADSP protocol. thus, in drill, the welcome server still has to whitelist known message streams. The Authenticated Received Chain ( ARC ) is an electronic mail authentication system designed to allow an intercede mail server like a mailing number or forwarding service to sign an e-mail ‘s original authentication results. This allows a meet serve to validate an e-mail when the e-mail ‘s SPF and DKIM records are rendered invalid by an intermediate server ‘s march. [ 30 ] ARC is defined in RFC 8617, published in July 2019, as “ experimental ”. [ 31 ]

Short key vulnerability [edit ]

In October 2012, Wired reported that mathematician Zach Harris detected and demonstrated an e-mail reference spoofing vulnerability with short DKIM keys for the google.com corporate domain, angstrom well as respective other high-profile domains. He stated that authentication with 384-bit keys can be factored in deoxyadenosine monophosphate little as 24 hours “ on my laptop, ” and 512-bit keys, in about 72 hours with cloud computing resources. Harris found that many organizations sign electronic mail with such short keys ; he factored them all and notified the organizations of the vulnerability. He states that 768-bit keys could be factored with access to very large amounts of computing power, so he suggests that DKIM sign should use keystone lengths greater than 1,024. Wired stated that Harris reported, and Google confirmed, that they began using new longer keys soon after his disclosure. According to RFC 6376 the receiving party must be able to validate signatures with keys ranging from 512 bits to 2048 bits, frankincense use of keys shorter than 512 bits might be antagonistic and shall be avoided. The RFC 6376 besides states that signers must use keys of at least 1024 bits for durable keys, though long-livingness is not specified there. [ 32 ]

history [edit ]

DKIM resulted in 2004 from merging two like efforts, “ enhanced DomainKeys “ from Yahoo and “ Identified Internet Mail ” from Cisco. [ 33 ] [ 34 ] This merged specification has been the basis for a series of IETF standards-track specifications and defend documents which finally resulted in STD 76, presently RFC 6376. [ 35 ] ” Identified Internet Mail ” was proposed by Cisco as a signature-based mail authentication standard, [ 36 ] [ 37 ] while DomainKeys was designed by Yahoo [ 38 ] [ 39 ] to verify the DNS domain of an e-mail sender and the message integrity. Aspects of DomainKeys, along with parts of Identified Internet Mail, were combined to create DomainKeys Identified Mail ( DKIM ). [ 38 ] [ 40 ] [ 41 ] Trendsetting providers implementing DKIM include Yahoo, Gmail, AOL and FastMail. Any mail from these organizations should carry a DKIM touch. [ 38 ] [ 42 ] [ 43 ] [ 44 ] Discussions about DKIM signatures passing through collateral mail flows, formally in the DMARC working group, took home good after the first adoptions of the new protocol wreaked havoc on regular mailing list use. however, none of the proposed DKIM changes passed. rather, mailing tilt software was changed. [ 45 ] In 2017, another working group was launched, DKIM Crypto Update ( dcrup ), with the specific restriction to review signing techniques. [ 46 ] RFC 8301 was issued in January 2018. It bans SHA-1 and updates key sizes ( from 512-2048 to 1024-4096 ). [ 47 ] RFC 8463 was issued in September 2018. It adds an elliptic curvature algorithm to the existing RSA. The add keystone type, k=ed25519 is adequately strong while featuring short public keys, more easily publishable in DNS. [ 48 ]

Development [edit ]

The original DomainKeys was designed by Mark Delany of Yahoo ! and enhanced through comments from many others since 2004. It is specified in Historic RFC 4870, superseded by Standards Track RFC 4871, DomainKeys Identified Mail ( DKIM ) Signatures ; both published in May 2007. A number of clarifications and conceptualizations were collected thereafter and specified in RFC 5672, August 2009, in the form of corrections to the existing specification. In September 2011, RFC 6376 merged and updated the latter two documents, while preserving the substance of the DKIM protocol. Public identify compatibility with the earlier DomainKeys is besides possible. DKIM was initially produced by an cozy industry consortium and was then submitted for enhancement and standardization by the IETF DKIM Working Group, chaired by Barry Leiba and Stephen Farrell, with Eric Allman of sendmail, Jon Callas of PGP Corporation, Mark Delany and Miles Libbey of Yahoo !, and Jim Fenton and Michael Thomas of Cisco Systems attributed as elementary authors. beginning code development of one coarse library is led by The OpenDKIM Project, following the most late protocol additions, and licensing under the New BSD License. [ 49 ]

See besides [edit ]

References [edit ]

promote read [edit ]

  • RFC 4686 Analysis of Threats Motivating DomainKeys Identified Mail (DKIM)
  • RFC 4871 DomainKeys Identified Mail (DKIM) Signatures Proposed Standard
  • RFC 5617 DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP)
  • RFC 5585 DomainKeys Identified Mail (DKIM) Service Overview
  • RFC 5672 RFC 4871 DomainKeys Identified Mail (DKIM) Signatures—Update
  • RFC 5863 DKIM Development, Deployment, and Operations
  • RFC 6376 DomainKeys Identified Mail (DKIM) Signatures Draft Standard
  • RFC 6377 DomainKeys Identified Mail (DKIM) and Mailing Lists
  • RFC 8301 Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)
  • RFC 8463 A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM)
informant : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.