E-Mail Security with DKIM

(Last Updated On: 2019-02-28)

Email is one of the most used applications for Communication today. So how the fluke do you secure it. Well, this is the task I had to go and find out after receiving some potentially very destructive phishing emails, the emails looked so real that if the user did not pick up slight changes in the mail we would have had a hefty price to pay.

There are three Technologies which I found can assist very quickly with this:

  1. SPF
    This Validates the Server Sending the Email
    Can improve mail deliverability on Corporate Domains
  2. DKIM
    This checks if the mail was tampered with prior to receiving it
  3. DMARC
    This is a combination of both SPF and DKIM

Taking a look at DKIM

DKIM (DomainKeys Identified Mail) is designed to detect if a mail has been altered in Transit.

It is Important to note there is two sides to DKIM.

  1. The Sending Domain adds DKIM (Using a Private Key) to the mail as it leaves the server
  2. The Receiving Domain can choose what to do with the mail depending on the Verification Result

So how does this work?

As the Sending mail server releases the mail it adds the DKIM Signature to the Message this is specific to each message as the headers and body are different. DKIM is part of the headers but won’t be viewable in the mail itself. When the Receiving mail server then receives the mail it extracts the necessary data from the DKIM Header “D=The Email domain” that singed the message, S=The Selector key. It queries the Sending Domain DNS and try’s and get the Selector key with the Public Key. Once the Key is returned it validates if the Email was Changed or not and gives a Verification code.

DKIM

The Mail Header

Below is example of how the header looks once it leaves the Sending mail server

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forflukesake.co.za; s=mimecast20181024; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=A2g3YKFJwkYZXEG+Qjwk8nCpen4EkZYzzMmLFLgE7es=; b=VPW0kvOAQ7Jx9R5bosd3Yy08mr5DLCulLnQJq+eBKV69a+zjLwDYC5Hq4VoEuLFu6b2Eor0d2bRUPWhjqUsZaTQy4bVs3PSCuxlzmVv4qyu+UEttrIiscZDaK0DvcOv5qNoUxrWdpFU6VrDc4w83NBfU6iiqOu5wB5NlCvP3bN0=

Headers Explained

V Version DKIM Standard Version being Used
A Algorithm the algorithm used to create the hash
C Canonicalization whether changes to the email like whitespace or line wrapping is allowed
S Selector selector to query the correct public key from the d value
D selector to query the correct public key from the d value the domain that signed the message
H Headers the SMTP headers that are included in the cryptographic hash
I Identity the identity of the signer, in email address format
B Signature the cryptographic signature of the headers and email body
BH Message Body Computed Has for the message Body

What type of Verification Result are generated?

Code Description
Pass Messages Signed, Signatures were acceptable and verification test passed
Fail Message Signed and the signature accepted but failed the verification test
None Message was not signed
TempError Error on Key or DNS Ex. Unable to retrieve the Public Key
PermError Ex. Header is missing from the mail

How Do You Setup DKIM

To Setup DKIM for your Domain sending is quite easy. You Log onto your CPanel where your DNS is hosted. Within the DNS Section first, check if you do not have and existing DKIM if not add a TXT Record and Populate it with the correct Data. Note you can have multiple DKIM Records and it is recommended not to just change a Record but to rather phase it out over a few weeks by creating side by side Records.

The Data

For all the Information on how the DKIM Records can be populated, you can browse the following link http://www.dkim.org

Create a DNS Record with the Name of the TXT record in the following format:
Selector._domainkey.DomainName

The Value of the TXT Record will be in the Following Format:
V=DKIM1; K=PublicKey Algorithm; P=PublicKey

Example
Oct20181105._domainkey.forflukesake.co.za TXT “v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC//w7h8E+KY+HD31NGuuEdONPhEv4tNAYZ
2VBl4SVcp9RAEy9Ik+B4X2Nyoxx6WYNc0bNV5ThNHQbVL
MtAcqhM2m+TrQ6rq8xREc/Mz21o/GYAlsiywNh99AWMHlX
iulHXJGZbbuR7VzAMU4RXAyCrL6mjnMEg/7jVtGz8co59XQ
IDAQAB

The Above was done via a mail archiving cloud-based server and the private key was auto generated by the archiving server I did not have to setup this up so can unfortunately not show you how to configure the private key side if you are running a local server.

If you need to setup on a local server you can use the below link to generate the keys:
https://dkimcore.org/tools/keys.html

Receiving Mail with DKIM

This is dependent on the exchange server you are running if it accepts DKIM or not. Most Corporate environment should have this in place. This is where you receive the Verification result back and you can choose what to do with mail received. For your public domain like Gmail, you should see a big question mark on any mail that is suspected. This won’t be blocked but a notification will be raised or moved directly to SPAM\JUNK.

An Example would be:

None Take No Action
Neutral Take No Action
Soft Fail Accept but check Spam Filtering
Hard Fail Reject
PermError Accept but check Spam Filtering
TempError Accept but check Spam Filtering

As a Final Note, this does not Encrypt content it only advises when the message content was altered.

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.

Thanks for reading.
Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *