[ietf-dkim] DKIM "blurb"
wietse at porcupine.org
Thu May 24 06:05:15 PDT 2007
Like many I was asked to for comments on DKIM after the RFC was
announced. Below is my simplified, mostly correct, summary.
Feel free to copy, modify, or distribute.
What DKIM is
DKIM (domain keys identified mail) is email authentication technology,
developed in an IETF (internet engineering task force) working
group. It allows recipients to identify the origin of email more
reliably than by looking at its FROM address.
Where DKIM software runs
Typically DKIM software does not run on end-user systems. Instead,
it runs on mail servers that send and receive mail across the
Internet. For mail within an organization, there may be other ways
to deal with email forgeries.
How DKIM works
With DKIM, a sending mail server stamps outgoing mail with a
cryptographic signature of header and body content; a receiving
server verifies the signature on incoming mail, using a public key
that is stored in the DNS (domain name system) under a sender-specified
domain name. The DKIM signature and other information are stored
in an extra header inside the email message.
What DKIM is not
DKIM is not to be confused with S/MIME or PGP like technologies.
While S/MIME etc. identifies the "user" who sends mail, the DKIM
signature typically identifies the sending mail server or organization.
The mail server operator needs to ensure that it will stamp only
mail from appropriate users (for example, an organization's mail
servers would stamp mail only from users on the organization's own
What DKIM can/cannot do
DKIM typically allows a recipient to find out if mail from PAYPAL.COM
was sent through a PAYPAL.COM mail server. However, DKIM does not
tell the recipient whether or not REALLY-SECURE-PAYPAL.COM and other
look-alike domains are owned by thieves, and whether mail from those
domains can be trusted when it has a correct DKIM signature.
DKIM as enabler for reputation services
DKIM provides a way to identify email senders more reliably than
by looking at the FROM address. To decide whether or not a DKIM
signature can be trusted, users need to use "reputation" information,
either information from the user's address book (I have done business
with REALLY-SECURE-PAYPAL.COM before and I trust them) or from
third-party reputation services that are still being developed.
DKIM support is available for many major mail servers, including
open source mail servers such as Sendmail and Postfix.
More information about the ietf-dkim