In an effort to always combat email spoofing DKIM was formed by merging two existing specifications the Domain Keys (created by Yahoo) and the Identified Internet Mail (Cisco) in 2004.
It has developed into a widely adopted new authentication technique that has also been registered as an RFC by the IETF. All major ISPs (such as Google, Microsoft and Yahoo) check incoming mail for DKIM signatures.
So how does DKIM work?
There are two steps; sending server and receiving server
There are two steps to signing an email with DKIM:
- The domain owner generates a public/private key pair to be used for signing outgoing messages (multiple key pairs are allowed).
The public key is published in a DNS TXT record, and the private key is made available to the DKIM-enabled outbound email server.
- When an email is sent by an authorized user of the email server, the server uses the stored private key to generate a digital signature of the message, which is inserted in the message as a header, and the email is sent as normal
- The DKIM-enabled receiving email server extracts the signature and claimed From: domain from the email headers.
- The public key is retrieved from the DNS system for the claimed From: domain.
- The public key is used by the receiving mail system to verify that the signature was generated by the matching private key. A match effectively proves that the email was truly sent from, and with the permission of, the claimed domain and that the message headers and content have not been altered during transit.
- The receiving email system applies local policies based on the results of the signature test. For example, the message might be deleted if the signature does not match.
The DKIM signature is generated by the MTA (Mail Transfer Agent). It creates a unique string called Hash Value. This hash value is stored in the listed domain. After receiving the e-mail, the recipient can verify the DKIM signature using the public key stored in the DNS. It uses this key to decrypt the Hash Value in the header and recalculate the hash value from the e-mail it received. If these two DKIM signatures match, the MTA knows that the email has not been changed. This allows the user to confirm that the email has been sent from the listed domain.