DomainKeys Identified Mail (DKIM) Development, Deployment, and Operations

DKIM only claim about message content is that the content cited in the "DKIM-Signature:" field’s "h=" tag has been delivered without modification. That is, it asserts message content integrity — between signing and verifying — not message content validity.

DKIM has three values that specify identification information and it is easy to confuse their use, although only one defines the formal input and output of DKIM, with the other two being used for internal protocol functioning and adjunct purposes, such as auditing and debugging.

DKIM’s primary task is to communicate from the Signer to a recipient-side Identity Assessor a single Signing Domain Identifier (SDID) that refers to a responsible identity. DKIM MAY optionally provide a single responsible Agent or User Identifier (AUID). A receive-side DKIM verifier MUST communicate the Signing Domain Identifier (d=) to a consuming Identity Assessor module and MAY communicate the User Agent Identifier (i=) if present. To the extent that a receiver attempts to intuit any structured semantics for either of the identifiers, this is a heuristic function that is outside the scope of DKIM’s specification and semantics.

The single, mandatory value that DKIM supplies as its output is:

d= This tag specify domain name of signing identity, also called Signing Domain Identifier (SDID).

The adjunct values are:

s= This tag specifies the selector, to discriminate among different keys that can be used for the same SDID. As discussed in Section 4.3 of [RFC5585],

"If verifiers were to employ the selector as part of an assessment mechanism, then there would be no remaining mechanism for making a transition from an old, or compromised, key to a new one".

Consequently, the selector is not appropriate for use as part or all of the identifier used to make assessments.

i= This tag is optional and provides the Agent or User Identifier (AUID) on behalf of which the SDID is taking responsibility [RFC5672]. The identity can be in the syntax of an entire email address or only a domain name. The domain name can be the same as for "d=" or it can be a sub-name of the "d=" name.

So, "i=" can have any of these properties:

This underscores why the tag needs to be treated as being opaque, since it can represent any semantics, known only to the signer.

Hence, "i=" serves well as a token that is usable like a Web cookie, for return to the signing Administrative Management Domain (ADMD) — such as for auditing and debugging. Of course in some scenarios the "i=" string might provide a useful adjunct value for additional (heuristic) processing by the Handling Filter.

For an entity creating DKIM signatures, it is likely that different portions of its mail will warrant different levels of trust.

It is therefore likely to be useful for a signer to use different "d=" subdomain names, for different message traffic streams, so that receivers can make differential assessments.

Generally, in a trust system, legitimate signers have an incentive to pick a small stable set of identities, so that recipients and others can attribute reputations to them.

Hence, the challenge is to determine a useful scheme for labeling different traffic streams. The most obvious choices are among different types of content and/or different types of authors. Although stability is essential, it is likely that the choices will change, over time, so the scheme needs to be flexible.

With DKIM, the Assessor can know that two messages with the same SDID are, in fact, signed by the same person or organization. This permits a far more stable and accurate assessment of mail traffic.

With the identifier(s) supplied by DKIM, the Assessor can consult an independent assessment service about the entity associated with the identifier(s). Another possibility is that the Assessor can develop its own reputation rating for the identifier(s).

Labels for the cells are meant as a general assessment of an organization producing that type of mail stream under that circumstance.

Best practices on key managements,

To enable accountability and auditing:

Ideally, DNS Security (DNSSEC) [RFC4034] needs to be employed in a configuration that provides protection against record insertion attacks and zone enumeration.

It is intended that assessments of DKIM identities be based on the domain name, and not include the selector.

If per-user signing keys are assigned for internal purposes, the following issues need to be considered before using such signatures as an alternative to traditional edge signing at the outbound MTA:

Best practices when signer is handled by other provider,

Example of key deployment process,

Example of key termination process,

Initial DKIM DNS information is contained within TXT RRs.

The "DKIM-Signature:" header in the message contains the "d=" tag with the basic domain name doing the signing and serving as output to the Identity Assessor and the s= tag with the selector that is added to the name, for finding the specific public key. Hence, the relevant "<selector>._domainkey.<domain-name>" DNS record needs to contain a DKIM-related RR that provides the public key information

The module doing signing can be placed anywhere within an organization’s trusted Administrative Management Domain (ADMD); obvious choices include department-level posting agents, as well as outbound boundary MTAs to the open Internet.

Given that DKIM is intended for use during email transit, rather than for long-term storage, it is expected that keys will be changed regularly. For administrative convenience, it is best not to hard-code key information into software.

Every organization (ADMD) will have its own policies and practices for deciding when to sign messages (message stream) and with what domain name, selector, and key.

DKIM requires that a message with a signature that is found to be invalid is to be treated as if the message had not been signed at all.

If a DKIM signature fails to verify, it is entirely possible that the message is valid and that either there is a configuration error in the signer’s system (e.g., a missing key record) or that the message was inadvertently modified in transit. If messages with invalid signatures were to be treated preferentially to messages with no signatures whatsoever, attackers will simply add invalid signature blocks to gain the preferential treatment.

Verifiers need to consider only the part of the message that is inside the scope of the message as being authenticated by the signature.

Valid DKIM signature does not represent proof positive that a valid claim of responsibility was made for it by the indicated party, that the message is authentic, or that the message is not abusive. In particular:

Messages that carry a valid DKIM signature from a trusted source can be whitelisted, avoiding the need to perform computation and hence energy-intensive content analysis to determine the disposition of the message.

Non-Verifying Adaptive Spam Filtering Systems. Adaptive (or learning) spam filtering mechanisms that are not capable of verifying DKIM signatures need to, at minimum, be configured to ignore DKIM header data entirely.

The intermediary that change the message content are strongly encouraged to deploy DKIM signing so that a verifiable claim of responsibility remains available to parties attempting to verify the modified message.

Consider the cases where:

In such cases, it is important that the communication link between the signature verifier and the relying application be sufficiently secure to prevent insertion of a message that carries a bogus results header.

The simplest case is when an organization use their own domain in the SDID of the signatures. The addresses in the "RFC5322.From" field would also be organization’s domain name.

An organization with multiple active subdomains may apply the same (single) signature domain to mail from all subdomains.

Another approach to distinguishing the streams using a single DKIM key would be to leverage the AUID [RFC5672] (i= tag) in the DKIM signature to differentiate the mail streams. For example, marketing email would be signed with "i=@marketing.domain.example" and "d=domain.example".

A signature whose domain does not match the domain of the RFC5322.From address is sometimes referred to as a third-party signature.

Third-party signatures encompass a wide range of identities. Some of the more common are:

Service Provider: An organization may outsourced their email to other provider. Such provider can DKIM-sign outbound mail with their own identifier.

Parent Domain: As discussed above, organizations choosing to apply a parent-domain signature to mail originating from subdomains can have their signatures treated as third party by some verifiers, depending on whether or not the "t=s" tag is used to constrain the parent signature to apply only to its own specific domain.

Reputation Provider: Such a signature would indicate to receivers that the message was being vouched for by that third party.

A different model arises when an organization uses a trusted third-party sender for certain key business functions, but still wants that email to benefit from the organization’s own identity and reputation.

This can be done by having the third party generate a key pair that is designated uniquely for use by that trusted third party and publishing the public key in the controlling organization’s DNS domain, thus enabling the third party to sign mail using the signature of the controlling organization.

One important caveat to the use of multiple signatures is that there is currently no clear consensus among receivers on how they plan to handle them. The opinions range from ignoring all but one signature (and the specification of which of them is verified differs from receiver to receiver), to verifying all signatures present and applying a weighted blend of the trust assessments for those identifiers, to verifying all signatures present and simply using the identifier that represents the most positive trust assessment. It is likely that the industry will evolve to accept multiple signatures using either the second or third of these, but it can take some time before one approach becomes pervasive.

There are a number of situations where applying more than one DKIM signature to the same message might make sense. A few examples are:

Any forwarder that modifies messages in ways that will break preexisting DKIM signatures needs to sign its forwarded messages.

In this scenario, Company A need only generate a single signing key and publish it under their top-level domain (companya.example); the signing module would then tailor the AUID value as needed at signing time.

An organization may distinguish email from several department, where each department may have their own subdomain with its unique signing keys.

A company might outsource its department’s mail service to other provider. For example, Company A with marketing department, marketing.company-a.example, might be managed by provider X.

Security concerns dictate that the keys be generated by the organization that plans to do the signing so that there is no need to transfer the private key. In other words, the provider X would generate keys.

An Email Service Provider (ESP A) might want to share its own mailing reputation with its clients, and might sign all outgoing mail from its clients with its own d= domain (e.g., d=espa.example).

When the ESP wants to distinguish among its clients, it has two options:

An ISP (ISP A) might want to assign signatures to outbound mail from its users according to each user’s past sending behavior (reputation). ISP A (ispa.example) can configure subdomains corresponding to the assessment categories (e.g., good.ispa.example, neutral.ispa.example, bad.ispa.example), and use these subdomains in the "d=" value of the signature.

The signing module can also set the AUID value to have a unique user ID (distinct from the local-part of the user’s email address), for example, "user3456@neutral.domain.example".

Some examples of agents might be a mailing list manager, or the "forward article to a friend" service that many online publications offer. In most of these cases, the signature is asserting that the message originated with, or was relayed by, the service asserting responsibility. In general, if the service is configured in such a way that its forwarding would break existing DKIM signatures, it needs to always add its own signature.

The robustness of DKIM’s verification mechanism is based on the fact that only authorized signing modules have access to the designated private key. This has the side effect that email submission and delivery scenarios that originate or relay messages from outside the domain of the authorized signing module will not have access to that protected private key, and thus will be unable to attach the expected domain signature to those messages. Such scenarios include mailing lists, courtesy forwarders, MTAs at hotels, hotspot networks used by traveling users, and other paths that could add or modify headers, or modify the message body.

For example, assume that Joe have email address at joe@company-a.example, joe@isp-1.example, and joe@isp-2.example.

When Joe send email through "isp-1" as "joe@company-a.example", that email cannot have a signature with d=company-a.example, because "isp-1" have no access to company-a.example’s private key. The email will have signature from "isp-1.example" instead.

If the organization signs all of its mail, then its boundary MTAs can look for mail purporting to be from the organization that does not contain a verifiable signature. Such mail can, in most cases, be presumed to be spurious.

However, other paths could add or modify the can modify messages in ways that will invalidate an existing DKIM signature. Such breakage is particularly relevant in the presence of Author Domain Signing Practices.

It is possible to administer subdomains or otherwise adjust signatures in a way that supports per-user identification. This user-level granularity can be specified in two ways: either by sharing the signing identity and specifying an extension to the "i=" value that has a per-user granularity or by creating and signing with unique per-user keys.

In most cases, it would be impractical to sign email on a per-user granularity. Such an approach would be

likely to be ignored: In most cases today, if receivers are verifying DKIM signatures, they are in general taking the simplest possible approach. In many cases, maintaining reputation information at a per-user granularity is not interesting to them, in large part because the per-user volume is too small to be useful or interesting.

difficult to manage: Any scheme that involves maintenance of a significant number of public keys might require infrastructure enhancements or extensive administrative expertise. This can create significant and often unnecessary management complexity.

For those who choose to represent user-level granularity in signatures, the performance and management considerations above suggest that it would be more effective to do so by specifying a local part or subdomain extension in the "i=" tag rather than by extending the "d=" domain and publishing individual keys.

Outbound

An MSA or an outbound MTA used for mail submission needs to ensure that the message sent is in compliance with the advertised email sending policy. If email messages does not comply it needs to be able to generate an operator alert.

If MUAs add their own signature, and MSA needs to perform operation on a message to make it comply with its email sending policy, it needs to do so in a way that would not break those signatures.

MUA are generally not under direct control of organization and more vulnerable to attack and compromise, which would jeopardize the integrity and reputation of the organization. So, MUA ability to sign is not encouraged.

Inbound

When an organization deploys DKIM, it needs to make sure that its email infrastructure components that do not have primary roles in DKIM handling do not modify message in ways that prevent subsequent verification.

Intermediaries An email intermediary is both an inbound and outbound MTA. If the intermediary modifies a message in a way that breaks the signature, the intermediary,

The intermediary can,

Outbound

An MUA can sign a message, even if its not encouraged. In this case the signature from MUA is an addition to signature added by MSA. If user software act as MSA and employed for sending directly to a receiving ADMD, the user software need to be considere an outbound MTA.

Inbound

An MUA can rely on report of DKIM verification from inbound MTA/MDA, or they can perform verification directly. If verification fails, the message is to be treated the same as a message that does not have a signature.

An MUA that looks for an Authentication-Results header field needs to be configurable to choose which Authentication-Results header fields are considered trustable. The MUA developer is encouraged to re-read the Security Considerations of [RFC5451].

Verified DKIM signature cannot be used by an MUA to indicate that a message is to be treated better than a message without a verified DKIM signature. However, it can be used as input into a reputation system.