DomainKeys

DomainKeys is an identification protocol that was first offered by email provider Yahoo in 2004. The purpose of the protocol is to make it easier to identify spam mails, but without filtering spam. With DomainKeys, it is intended to prevent the sender of mails from being hidden by determining from which domain a mail was sent. Today, DomainKeys is known as "DomainKeys Identified Mail (DKIM)". With this protocol, users are able to better adjust their spam filters based on the information gained.

General information

The technical basis of DomainKeys is an asymmetric encryption. This means that each mail is provided with a digital signature. With the help of the Domain Name System (DNS), the sending domain is provided with a public key that can be used to verify the signature. If the verification fails, the Mail Transfer Agent (MTA) or the mail program itself can refuse to accept certain mails. However, the sender's MTA must provide the mail in the DomainKey signature header with the corresponding signature before it can function.

Technical aspects of DomainKeys

The hash values required to generate the signature can be generated using the hash functions SHA-1 and SHA-256, but it is recommended to use primarily SH-256. Encryption ensures that the signature is generated from the hashtag using the RSA procedure. The encoding is done by Base64, which is necessary to send the mail in the necessary ASCII character set.

When a mail arrives at the recipient, Base64 decodes the signature, then decrypts it using the public key and recalculates the hash code. DKIM now recognizes whether the mail actually originates from the supposed recipient by checking whether the delivered hash code, the decrypted hash code and the self-decrypted hash code match.

Differences to other methods

In contrast to procedures such as PGP or S/MINE, the individual senders or identities are not checked; rather, work is carried out on a domain basis. In addition, signatures and checks are performed directly on the respective mail servers. Again, DomainKeys differs from other similar methods that are reduced to working with mail programs. No additional plugins are required to use DKIM.

Challenges of DomainKeys

Usually, you are dependent on the E-Mail Service Provider (ESP) for using DomainKeys. This makes sense because the providers have the necessary know-how and technical resources. On the other hand, the companies that want to use the service retain control of their DNS settings. Let's assume that an ESP generates the key pair that contains the private and public keys. In the next step, the generated private key is inserted into the mail server, which is responsible for sending the mails. The corresponding public key is now made available to the company so that it can be published in the DNS.

This procedure must be repeated every six months on average, because there is a high risk of keys being compromised, stolen, or cracked. Therefore, a rotation should be carried out at regular intervals, in the course of which, as a rule, three key pairs should be used in parallel to ensure an error-free transition. The first key pair is the expired key pair, the second is the key pair used currently, and the third is the next valid key pair. This procedure involves a large recurring expenditure.

Solutions to the problem of rotation

In order to reduce or delegate the effort of rotation, one can resort to the means of "(sub)domain delegation". The control is completely transferred to the ESP, which in turn publishes the public key in the DNS. Not all companies favour this solution, as they are reluctant to hand over complete control.

Another possibility is a "CNAME Record". With this method, a domain name is defined as an alias in the DNS. The company needs to set CNAME records for DKIM once - then the receiving mail server is informed that it can obtain the public key in another location, in the DNS of the ESP.

In both cases - i.e. (sub)domain delegation and CNAME record - the mail addresses have to be changed slightly. For example, "news@examplepage.com" becomes "info@news.examplepage.com" and "key1._domainkey.brand_domain.org" becomes "key1.brandname.esp_domain.com". The public key can be found under "key1.brandname.esp_domain.com". The company only provides information about where the public key is located. The keys are managed and regularly rotated by ESP.

Significance for development

As spam, phishing and other abusive activities are still a problem for companies, DKIM is a useful and sensible measure to identify how serious senders of e-mails are. Although the procedure should not be regarded as the sole measure against Spam & Co., it would be negligent to completely refrain from defensive measures against potential attacks.