E-Mail Security with DKIM

(Last Updated On: 2019-02-28)

Email is one of the most used applications for Communication today. So how the fluke do you secure it. Well, this is the task I had to go and find out after receiving some potentially very destructive phishing emails, the emails looked so real that if the user did not pick up slight changes in the mail we would have had a hefty price to pay.

There are three Technologies which I found can assist very quickly with this:

  1. SPF
    This Validates the Server Sending the Email
    Can improve mail deliverability on Corporate Domains
  2. DKIM
    This checks if the mail was tampered with prior to receiving it
  3. DMARC
    This is a combination of both SPF and DKIM

Taking a look at DKIM

DKIM (DomainKeys Identified Mail) is designed to detect if a mail has been altered in Transit.

It is Important to note there is two sides to DKIM.

  1. The Sending Domain adds DKIM (Using a Private Key) to the mail as it leaves the server
  2. The Receiving Domain can choose what to do with the mail depending on the Verification Result

So how does this work?

As the Sending mail server releases the mail it adds the DKIM Signature to the Message this is specific to each message as the headers and body are different. DKIM is part of the headers but won’t be viewable in the mail itself. When the Receiving mail server then receives the mail it extracts the necessary data from the DKIM Header “D=The Email domain” that singed the message, S=The Selector key. It queries the Sending Domain DNS and try’s and get the Selector key with the Public Key. Once the Key is returned it validates if the Email was Changed or not and gives a Verification code.

DKIM

The Mail Header

Below is example of how the header looks once it leaves the Sending mail server

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forflukesake.co.za; s=mimecast20181024; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=A2g3YKFJwkYZXEG+Qjwk8nCpen4EkZYzzMmLFLgE7es=; b=VPW0kvOAQ7Jx9R5bosd3Yy08mr5DLCulLnQJq+eBKV69a+zjLwDYC5Hq4VoEuLFu6b2Eor0d2bRUPWhjqUsZaTQy4bVs3PSCuxlzmVv4qyu+UEttrIiscZDaK0DvcOv5qNoUxrWdpFU6VrDc4w83NBfU6iiqOu5wB5NlCvP3bN0=

Headers Explained

VVersionDKIM Standard Version being Used
AAlgorithmthe algorithm used to create the hash
CCanonicalizationwhether changes to the email like whitespace or line wrapping is allowed
SSelectorselector to query the correct public key from the d value
Dselector to query the correct public key from the d valuethe domain that signed the message
HHeadersthe SMTP headers that are included in the cryptographic hash
IIdentitythe identity of the signer, in email address format
BSignaturethe cryptographic signature of the headers and email body
BHMessage BodyComputed Has for the message Body

What type of Verification Result are generated?

CodeDescription
PassMessages Signed, Signatures were acceptable and verification test passed
FailMessage Signed and the signature accepted but failed the verification test
NoneMessage was not signed
TempErrorError on Key or DNS Ex. Unable to retrieve the Public Key
PermErrorEx. Header is missing from the mail

How Do You Setup DKIM

To Setup DKIM for your Domain sending is quite easy. You Log onto your CPanel where your DNS is hosted. Within the DNS Section first, check if you do not have and existing DKIM if not add a TXT Record and Populate it with the correct Data. Note you can have multiple DKIM Records and it is recommended not to just change a Record but to rather phase it out over a few weeks by creating side by side Records.

The Data

For all the Information on how the DKIM Records can be populated, you can browse the following link http://www.dkim.org

Create a DNS Record with the Name of the TXT record in the following format:
Selector._domainkey.DomainName

The Value of the TXT Record will be in the Following Format:
V=DKIM1; K=PublicKey Algorithm; P=PublicKey

Example
Oct20181105._domainkey.forflukesake.co.zaTXT“v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC//w7h8E+KY+HD31NGuuEdONPhEv4tNAYZ
2VBl4SVcp9RAEy9Ik+B4X2Nyoxx6WYNc0bNV5ThNHQbVL
MtAcqhM2m+TrQ6rq8xREc/Mz21o/GYAlsiywNh99AWMHlX
iulHXJGZbbuR7VzAMU4RXAyCrL6mjnMEg/7jVtGz8co59XQ
IDAQAB

The Above was done via a mail archiving cloud-based server and the private key was auto generated by the archiving server I did not have to setup this up so can unfortunately not show you how to configure the private key side if you are running a local server.

If you need to setup on a local server you can use the below link to generate the keys:
https://dkimcore.org/tools/keys.html

Receiving Mail with DKIM

This is dependent on the exchange server you are running if it accepts DKIM or not. Most Corporate environment should have this in place. This is where you receive the Verification result back and you can choose what to do with mail received. For your public domain like Gmail, you should see a big question mark on any mail that is suspected. This won’t be blocked but a notification will be raised or moved directly to SPAM\JUNK.

An Example would be:

NoneTake No Action
NeutralTake No Action
Soft FailAccept but check Spam Filtering
Hard FailReject
PermErrorAccept but check Spam Filtering
TempErrorAccept but check Spam Filtering

As a Final Note, this does not Encrypt content it only advises when the message content was altered.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *