DKIM
SPF allows for recipients to verify the email was allowed to send from the domain name it's originated from.
DKIM validates recipients to validate an emails integrity.
When an email is sent it connects to an SMTP server, this is the Mail Submission Agent. This is the opportunity for the Mail Submission Agent to validate the email is genuine, and the mail submission agent can sign an email on behalf of the author. In the signature it will include how to validate the signature.
The flow of DKIM roughly follows:
- Email is received by the mail submission agent
- The DKIM signature email headers are injected using cryptographic private keys
- The email is transferred and additional DKIM signatures may be injected by forwarders
- DKIM evaulations are performed by retieving the signers DNS TXT records
- Email delivered or rejected based on results
DKIM Evaluations
There are three DKIM evaluation:
- Success - Signature verified
- PERMFAIL - Signature found but invalid
- TEMPFAIL - Transient error (DNS error etc.)
Reading a DKIM Signature
v - version (must be 1)
a - Cryptographic algorithm
b - Signature in Base64
bh - Email hash in Base64
d - signer domain
h - List of protected header fields, in order of appearance
s - Domain Key Selector
Adding a DKIM public key
DKIM, like SPF utilises TXT records to host the public key, and the record is located in a subdomain that is known as the selector.
The primary tag required is p - which is the base64 encoded verison of your public key when you generated a public/private key pair.