Email On Deck logo

You are
the
GREATEST

Extensions
EmailOnDeck
Chrome . Firefox
 
API Access?
Advanced Features?
EmailOnDeck PRO
 

Insightful Articles:

Pros and Cons of Using a Disposable E-mail Address
Mar. 2nd
 
Throw away email address for one time use sign up
Feb. 18th
 
Why would I want a temporary email address?
Feb. 4th
 
Tracking you on the internet by your email address
Apr. 11th
 
Why do gamers need disposable email addresses?
Feb. 21st
 
Get temporary emails from your browser!
Mar. 16th
 

Understanding and Leveraging the Power of DKIM: The Key to Email Authentication and Security

Guest Author:  Jennifer Radcliff
Jennifer Radcliff photo

The DKIM (DomainKeys Identified Mail) email authentication mechanism enables the recipient of an email to confirm that the email was sent by the purported sender and was not altered in transit. It was developed in order to deal with the issue of email spoofing, which is the act of sending emails with a falsified sender address in an effort to deceive the receiver into thinking the email was sent by someone else.

The ability of email spoofing to be exploited in phishing attacks and other forms of cybercrime is one of the key reasons it is such an issue. For instance, a hacker may send an email requesting the recipient to click on a link and input their login information while posing as a representative of a bank or other financial organization. The target could not recognize that the email is genuinely from a hacker if the email is successfully faked, and they can unintentionally divulge their sensitive information.

Email spoofing may be used to harm the reputation of a real company or organization, which is another reason why it is an issue. For instance, if someone sends out a lot of spam emails purporting to be from a certain business, it may harm the business' image and make it more challenging for them to contact clients via email.

The DKIM protocol was created in order to overcome these problems. It functions by including a digital signature in the email message headers, which may be used to confirm the message's legitimacy. A DKIM signature is created and added to the message headers when an email is sent by the sender's mail server. The public key of the sender's domain may then be used by the recipient's mail server to check the signature and see whether the message has been altered while in route.

The use of DKIM has a number of advantages. One benefit is that it offers defense against phishing and other forms of email fraud. By making it more difficult for spammers and hackers to send forged emails using real businesses and organizations' names, it also helps to safeguard the reputation of those establishments. Additionally, by making it more difficult for bad actors to intercept and alter email messages, it contributes to enhancing the overall security of the email system.

DKIM has contributed to making the internet a safer and more reliable environment for everyone, and is a crucial tool for verifying the security and authenticity of email communications.

Example DKIM in an Email Header

Here is an example of a DKIM signature in an email's headers:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=dkim; h=From:To:Subject:Date:Message-ID; bh=abcdefghijklmnopqrstuvwxyz0123456789; b=abcdefghijklmnopqrstuvwxyz0123456789 abcdefghijklmnopqrstuvwxyz0123456789

This signature includes several different fields, each of which serves a specific purpose:

  • v: This field indicates the version of DKIM that is being used.
  • a: This field specifies the algorithm that was used to generate the signature.
  • c: This field describes the canonicalization methods that were used to prepare the message for signing.
  • d: This field specifies the domain that is associated with the signature.
  • s: This field is the selector used to identify the public key that will be used to verify the signature.
  • h: This field lists the header fields that are included in the signature.
  • bh: This field is the actual signature itself.
  • b: This field is the base64-encoded version of the signature.

When a recipient's mail server receives an email with a DKIM signature, it will use the domain's public key (which is stored in the DNS records for the domain) to verify the signature. If the signature is valid, it can be confident that the email was actually sent by the domain it claims to be sent from, and that it hasn't been modified in transit.

Example DKIM code

Here is an example of how you could create a DKIM signature in Python for an email message:

import base64 import email import hashlib import hmac import os from email.policy import default def generate_dkim_signature(email_message, selector, private_key, domain): # Normalize the email message email_message = email_message.as_bytes(policy=default) # Create the DKIM header dkim_header = "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n" dkim_header += f"d={domain}; s={selector};\r\n" dkim_header += "h=From:To:Subject:Date:Message-ID;\r\n" # Calculate the hash of the email message hasher = hashlib.sha256() hasher.update(email_message) email_hash = hasher.digest() # Sign the hash using the private key signature = hmac.new(private_key, email_hash, hashlib.sha256).digest() # Base64-encode the signature b64_signature = base64.b64encode(signature).decode() # Add the signature to the DKIM header dkim_header += f"bh={b64_signature}\r\n" dkim_header += f"b={b64_signature}\r\n" # Return the final DKIM header return dkim_header # Load the email message with open("email.eml", "rb") as f: email_message = email.message_from_binary_file(f) # Load the private key with open("private_key.pem", "rb") as f: private_key = f.read() # Generate the DKIM signature dkim_signature = generate_dkim_signature( email_message, "dkim", private_key, "example.com" ) # Add the DKIM signature to the email's headers email_message["DKIM-Signature"] = dkim_signature # Save the modified email message with open("signed_email.eml", "wb") as f: f.write(email_message.as_bytes(policy=default))

This code reads the private key that will be used to sign the email after first loading it from a file. The DKIM signature is then created and appended to the email's headers by calling the generate_dkim_signature() method. Finally, a new file with the changed email message is saved.

You must substitute the paths to your own private key and email message for those in private_key.pem and email.eml, respectively. The selector and domain that you intend to utilize must also be included in the DKIM signature.

 
 
SSL and TLS certified