DNS-Based Defense: DKIM

In this leasson, we will explore Domain Keys Identified Mail (DKIM) and how it can help defend against phishing attacks.

DKIM

Domain Keys Identified Mail (DKIM) lets us lock down who can send an email for our domain via cryptography. It can be used in addition to SPF. When we set up a domain to use DKIM, we add a public key to the DNS records for our domain, and then our mail server uses the corresponding private key to sign our outgoing emails. That way, when the mail server at another domain receives an email claiming to be from our domain, that mail server can look up our public key in DNS and verify that the signature on the email is legitimate.

Joe asks: how do signatures prevent forged email?

Alice wants to send out messages and prove that they came from her. Public key signatures give her a way to do that.

First, Alice creates a public/private key pair. She keeps the private key private but distributes the public key far and wide via DNS. These keys are just really big numbers, hundreds of digits long. But these numbers aren’t chosen at random. There’s a mathematical relationship between them. The relationship between the private and public keys allows for some pretty interesting things:

  • Alice can write a message and use the private key to create a signature for the message.
  • Bob can look at the message, the signature, and the public key and then harness the power of math to prove that the signature was created by someone who had the private key. If Bob trusts that no one copied the private key from Alice, then Bob knows that Alice wrote the message.
  • Eve can’t figure out the private key even if she sees the message, the signature, and the public key.

    This just describes what the signatures make possible. If you’d like to read more about the math behind this, read the excellent descriptions in either Serious Cryptography, Cryptography Engineering, or crypto101.io
...