DomainKeys

DomainKeys is an identification protocol for ensuring the authenticity of e-mail senders, which was developed by Yahoo and has been an Internet standard since the end of 2013. It is designed to help contain unsolicited email such as spam or phishing .

DomainKeys was originally published under the title Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) in RFC 4870 and replaced by RFC 4871 and later RFC 6376 under the title DomainKeys Identified Mail (DKIM) Signatures .

functionality

DomainKeys is based on asymmetric encryption . The e-mail is provided with a digital signature , which the receiving server can verify using the public key that is available in the domain name system (DNS) of the domain . If this fails, the receiving Mail Transfer Agent (MTA) or the receiving application program has the option of rejecting or sorting out the e-mail.

The core of the process is that the sending MTA provides every sent e-mail with a digital signature of the content of the e-mail in the so-called “DomainKey-Signature-Header”.

DKIM supports the SHA-256 hash functions to generate the hash value required for the signature . The hash value created in this way is then signed using the RSA (1024–4096 bit) or Ed25519 process. It is recommended to sign using the Ed25519 method. So that the signature can be represented with the ASCII character set used when sending e-mails , it is encoded with Base64 .

The digital signature generated in this way is first base64-decoded by the receiving MTA and then decrypted with the public key of the alleged sender domain (e.g. yahoo.com); the hash code of the email is recalculated. If the delivered decrypted and the self-calculated hash code match, the e-mail really comes from the specified domain. The public key (s) used are published in the DNS entry of the sending domain . This means that the DNS acts as a certification authority . An e-mail signed with the help of DomainKeys therefore offers the possibility of reliably checking whether the domain contained in the e-mail sender address is correct and that the e-mail has not been changed on the way to delivery.

Spam filtering

Since DomainKeys is an authentication mechanism, DomainKeys is not used to filter spam. Instead, DomainKeys limits the possibility of disguising e-mail sender addresses, as DomainKeys can be used to determine whether an e-mail was actually sent via the specified domain.

This traceability can be used to make rating systems and filtering techniques for spam filters more effective. DomainKeys can also limit data theft through phishing , as participating mail senders can certify their e-mails as originals. If such certification is missing, although the alleged sender states that he has certified his emails, the email can be viewed as a possible forgery.

Licensing

Yahoo has patented the process and submitted it to the IETF for standardization. The procedure has meanwhile been accepted as the RFC 4871 standard .

The DomainKeys process can be licensed and used by Yahoo either under the terms of the GPL 2.0 or the terms of the proprietary Yahoo DomainKeys Patent License Agreement.

After the failure of the standardization of Microsoft's Sender ID - for which no GNU licensing was considered - the DomainKeys procedure has a good chance of establishing itself on the Internet alongside the Sender Policy Framework (SPF).

support

The DomainKeys procedure requires major modifications to the mail server - appropriate adjustments currently exist for almost all common mail transfer agents . The DomainKeys method is currently only supported by very few providers; Well-known larger providers that use domain keys are Yahoo and Gmail as well as Microsoft Office 365 . The Zimbra groupware solution also supports the DomainKeys procedure.

The problem with this and all other methods of ensuring sender authenticity is that it will take a long period of time to distribute such a system, as the software must first be adapted and then it must also be used on the mail servers .

Further developments

In July 2005, Cisco and Yahoo submitted a joint draft entitled DomainKeys Identified Mail (DKIM) to the IETF . This proposal has now also been supported by other greats in the IT industry, including Microsoft and AOL by those who suggested SPF as an alternative solution. DKIM was published as RFC 4871 in May 2007 , replacing the previous draft RFC 4870 . In September 2011 the RFC 6376 was published, which makes the two 4870 and 4871 obsolete.

With DMARC , another specification was developed that combines the procedures of SPF and DKIM.

Web links

DomainKey Implementor's Tools and Library for email servers & clients - Opensource reference implementation of the procedure
opendkim.org Milter for integration in Postfix or Sendmail
IETF Working group on DomainKeys Identified Mail Signatures
DKIM Connector Open Source Project to simplify the implementation of DKIM (will not be further developed)
Signing emails with DKIM, cryptography against phishing and spam articles on heise Netze
Thunderbird plug-in for checking / displaying the DKIM

Individual evidence

↑ S. Kitterman: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM). Retrieved March 6, 2020 .
↑ ^a ^b DomainKeys licensing from Yahoo
↑ heise online: RFC against spam
^ Zimbra: Zimbra Server with DKIM Signing. In: Zimbra Wiki. Zimbra Wiki, August 1, 2017, accessed April 7, 2017 .

[1] S. Kitterman: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM). Retrieved March 6, 2020 .

[yahoo-2] DomainKeys licensing from Yahoo

[heise-3] se online: RFC against spam

[4] Zimbra: Zimbra Server with DKIM Signing. In: Zimbra Wiki. Zimbra Wiki, August 1, 2017, accessed April 7, 2017 .