What is DKIM?
DKIM (DomainKeys Identified
Wikipedia puts it, "is an email authentication method designed to
detect forged sender addresses in emails (email spoofing), a technique
often used in phishing and email spam". More prosaically, one of the
reasons email spam is so abundant is that, given a certain email
message, there is no simple way to know for certain who sent it and
how reputable they are. So even if people having addresses
are very nice and well-behaving, any random spammer can
easily send emails from
, and even if you trust
you cannot easily configure your antispam
filter to just accept all emails from
, because spammers
would get in too.
Since nearly ten years DKIM is there to help you. If you send an email
with DKIM, it will have a header like this:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=debian.org;
is the domain this email claims to be from
and the fields
are a cryptographic public key signature
certifying this fact. How do I check that the email is actually from
? I use the selector
to fetch the public
key via DNS, and then use the public key to verify the signature.
$ host -t TXT vps.gio.user._domainkey.debian.org
vps.gio.user._domainkey.debian.org descriptive text "v=DKIM1; k=rsa; s=email; h=sha256; p=" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM/W/kxtKWT58Eak0cfm/ntvurfbkkvugrG2jfvSMnHHkFyfJ34Xvn/HhQPLwX1QsjhuLV+tW+BQtxY7jxSABCee6nHQRBrpDej1t86ubw3CSrxcg1mzJI5BbL8un0cwYoBtUvhCYAZKarv1W2otCGs43L0s" "GtEqqtmYN/hIVVm4FcqeYS1cYrZxDsjPzCEocpYBhqHh1MTeUEddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB"
There it is! Debian declares in its DNS record that that key is
authorized to sign outbound email from
. The spammer
hopefully does not have access to Debian's DKIM keys, and they cannot
Many large and small email services have already deployed DKIM since
years, while most
emails still do not use it. Why not?
Because people send
emails from many different
servers. Basically, every DD used their
email from their own mail server, and those mail servers (fortunately)
do not have access to Debian's DNS record to install their DKIM
keys. Well, that was true until yesterday! :-)
A few weeks ago I poked DSA asking to allow any Debian Developer to
install their DKIM keys, so that DDs could use DKIM to sign their
emails and hopefully reduce the amount of spam sent from
. They have done it (thank you DSA very much, especially
), and now it is possible to use it!
How do I configure it?
I will not write here a full DKIM tutorial, there are
have to use
to generate a key and then configure
your mail server to use
to digitally sign outbound email.
There are a few Debian-specific things you have to care about, though.
First the have to choose a selector
, which is a string used to
distinguish many DKIM keys belonging to the same domain. Debian allows
you to installa a key whose selector is
is your Debian uid (this is done both for namespacing
reasons and for exposing who might be abusing the system). So check
carefully that your selector has this form.
Then you cannot edit directly Debian's DNS record. But you can use the
email-LDAP gateway on
install your key in a way similar to how entries in
handled (see the updated
generated the following thing for
vps.gio.user._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"ddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB" ) ; ----- DKIM key vps.gio.user for debian.org
Then you have to carefully copy the content of the
being fooled by it being split between different strings) and
construct a request of the form:
dkimPubKey: vps.gio.user MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM/W/kxtKWT58Eak0cfm/ntvurfbkkvugrG2jfvSMnHHkFyfJ34Xvn/HhQPLwX1QsjhuLV+tW+BQtxY7jxSABCee6nHQRBrpDej1t86ubw3CSrxcg1mzJI5BbL8un0cwYoBtUvhCYAZKarv1W2otCGs43L0sGtEqqtmYN/hIVVm4FcqeYS1cYrZxDsjPzCEocpYBhqHh1MTeUEddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB
and then send it GPG-signed to
echo 'dkimPubKey: vps.gio.user blahblahblah' gpg --clearsign mail email@example.com
host -t TXT vps.gio.user._domainkey.debian.org
to chech the
key gets published (it will probably take some minutes/hours, I don't
know). Once it is published, you can enable DKIM in you mail server
and your email will be signed. Congratulations, you will not look like
a spammer any more!
You can send an email to
that your setup is correct. They will reply with a report, including
the success of DKIM test.
Notice that currently Debian's setup only allows you to use RSA DKIM
keys and doesn't allow you to set other DKIM fields (but you probably
won't need to set them).
EDIT DSA made an official announcement about DKIM
which you might want to check out as well, together with its links.
EDIT 2 Now ed25519 keys are supported, the syntax for specifying
keys on LDAP is a little bit more flexible and you can also insert
records. See the official
for the updated
So we have solved our problems with spam?
Ha, no! DKIM is only a small step. Useful, also because it enable
other steps to be taken in the future, but small.
In particular, DKIM enables you to say: "This particular email
actually comes from
", but doesn't tell anybody what to
do with emails that are not signed. A third-party mail server might
emails are actually supposed to be signed
There is another standard for dealing with that, which is called
DMARD, and I believe that Debian should eventually use it, but not
now: the problem is that currently virtually no email from
is signed with DKIM, so if DMARC was enabled other mail
servers would start to nuke all
emails, except those
which are already signed, a minority. If people and services sending
will start configuring DKIM on their
servers, which is now possible, it will eventually come a time when
DMARC can be enabled, and spammers will find themselves unable to send
emails. We are not there yet, but todays we are a
little step closer than yesterday.
Also, notice that having DKIM on
only counters spam
pretending to be from
, but there is much more. The
policy on what to accept
is mostly independent on that on what you
. However, knowing that
emails have DKIM and DMARC
would mean that we can set our spam filters to be more aggressive in
general, but whitelist official Debian Developers and services. And
the same can be done for other domains using DKIM and DMARC.
Finally, notice that some incompatibilities between DKIM and mailing
lists are known, and do not have a definitive answer yet. Basically,
most mailing list engines modify either the body of the headers in
forwarded emails, which means that DKIM does not validate any
more. There are many proposed solutions, possibly none completely
satisfying, but since spam is not very satisfying as well, something
will have to be worked out. I wrote a lot already, though, so I wont't
discuss this here.