- Category: November - December 2008
DKIM (and its predecessor DomainKeys) is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870 which was made obsolete by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures.
DKIM is independent of Simple Mail Transfer Protocol (SMTP) routing aspects in that it operates on the RFC 2822 message — i.e., the transported mail data, header and body — not the SMTP envelope defined in RFC 2821.
Note that DKIM does not directly prevent abusive behavior; rather, it allows abuse to be tracked and detected more easily. This ability to prevent some forgery also has benefits for recipients of e-mail as well as senders, and "DKIM awareness" is programed into some e-mail software.
Since 2004, Yahoo! has signed all of its outgoing e-mail with DomainKeys and is verifying all incoming mail. As of 2005, Yahoo reported that the number of DomainKeys-verified e-mail messages they receive exceeds 300 million per day.
Google also uses DKIM and DomainKeys to sign e-mail messages sent from users of its Gmail service, actually going live with DomainKeys about a month before Yahoo did.
DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers. For example, a spam message may claim in its "From:" header to be from sender@example.com, when in fact it is not from that address, and the spammer's goal is only to convince the recipient to click on a link in the body of the email which leads to some other web site. Because the email is not actually from the example. com domain, the recipient cannot have any effect by complaining to the system administrator for example. com. It also becomes difficult for recipients to establish whether to give good or bad reputations to various domains, and system administrators may have to deal with complaints about spam that appears to have originated from their systems, but didn't.
DKIM uses public-key cryptography to allow the sender to electronically sign legitimate emails in a way that can be verified by recipients. Prominent email service providers implementing DKIM (or its slightly different predecessor, DomainKeys) include Yahoo and Gmail. Any mail from these domains should carry a DKIM signature, and if the recipient knows this, he can discard mail that hasn't been signed, or that has an invalid signature.
DKIM also guards against tampering with mail, offering almost end-to -end integrity from a signing to a verifying Mail transfer agent (MTA). In most cases the signing MTA acts on behalf of the sender by inserting a DKIM-Signature header, and the verifying MTA on behalf of the receiver, validating the signature by retrieving a sender's public key through the DNS.
The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM). This merged specification is the basis for an IETF Working Group which has guided the specification towards becoming an IETF Proposed Standard.
