Document
advertisement
• DKIM
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1
DKIM checks the message content,
deploying digital signatures. Rather
than using digital certificates, the
keys for signature-verification are
distributed via the DNS. That way, a
message gets associated to a domain
name.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1
A DKIM-compliant ADMD generates
one or more pairs of Asymmetric key
algorithm|asymmetric keys, then
hands private keys to the signing
MTA, and publishes public keys on
the DNS
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1
The purpose of a DKIM-signature is
not to assure message integrity.
Often, it does not even guarantee that
a message author's data, as per a
signed From: field, has a real name or
a valid mailbox. The parts to be
signed are chosen so as to identify the
message unequivocally. A valid
signature just states that the message
did actually flow through a box
operated by that ADMD.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1
While intermediate relays usually can add
header fields without breaking existing
DKIM-signatures, changing character set,
adding a tag to the subject, adding a
footer, or fixing the MIME structure of a
message are likely to break them
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
1
'DomainKeys Identified Mail' ('DKIM')
is an email validation system designed
to detect email spoofing by providing a
mechanism to allow receiving mail
exchangers to check that incoming mail
from a domain name|domain is
authorized by that domain's
administrators. A digital signature
included with the message can be
validated by the recipient using the
signer's public-key cryptography|public
key published in domain name
system|the DNS.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
DKIM is the result of merging
'DomainKeys' and 'Internet Identified
Mail'. This merged specification has
been the basis for a series of IETF
#External links|standards-track
specifications and support documents
which eventually resulted in Internet
standard|STD
[http://datatracker.ietf.org/doc/STD7
6?include_text=1 76].
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
1
[http://blog.fastmail.fm/2009/08/13/
all-outbound-email-now-being-dkimsigned/ All outbound email now being
DKIM signed]
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1
In most cases, the signing module acts on
behalf of the 'author' organization or the
originating service provider by inserting a
'DKIM-Signature:' header field
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
DKIM is independent of Simple Mail
Transfer Protocol (SMTP) routing aspects
in that it operates on the RFC 5322
message -- the transported mail's header
and body -- not the SMTP envelope
defined in RFC 5321. Hence the DKIM
signature survives basic relaying across
multiple MTAs.
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1
DKIM allows the signer to distinguish
its legitimate mail stream. It does not
directly prevent or disclose abusive
behavior.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1
This ability to distinguish legitimate mail
from potentially forged mail has benefits
for recipients of e-mail as well as senders,
and DKIM awareness is programmed into
some e-mail software.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - How it works
The DKIM-Signature
header field consists of a
list of tag=value parts
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - How it works
1
Note that the DKIM-Signature header field
itself is always implicitly included in 'h'.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
1
In September 2011, RFC 6376 merged
and updated the latter two documents,
while preserving the substance of the
DKIM protocol
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
DKIM was initially produced by an
informal industry consortium and was
then submitted for enhancement and
standardization by the IETF DKIM
Working Group, chaired by Barry Leiba
and Stephen Farrell, with
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
1
Source code development of one common
library is led by 'The OpenDKIM Project',
following the most recent protocol
additions, and licensing under the BSD
licenses#3-clause license (New BSD
License)|New BSD License.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Patent encumbrance
1
DomainKeys is covered by assigned to
Yahoo! Inc. For the purpose of the DKIM
IETF Working Group, Yahoo! released the
now obsolete DK library under a dual
license scheme: the DomainKeys Patent
License Agreement v1.2, an unsigned
version of which can still be found, and
GNU General Public License v2.0 (and no
other version).
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Advantages
1
* It allows a great reduction in abuse desk
work for DKIM-enabled domains if e-mail
receivers use the DKIM system to identify
forged e-mail messages claiming to be
from that domain.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Use with spam filtering
However, widespread use of DKIM can
prevent spammers from forging the source
address of their messages, a technique
they commonly employ today.
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
DKIM can be useful as an antiphishing technology. Mailers in
heavily phished domains can sign
their mail to show that it is
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
1
genuine. Recipients can take the absence of
a valid signature on mail from those domains
to be an indication that the mail is probably
forged. The best way to determine the set of
domains that merit this degree of scrutiny
remains an open question; DKIM has an
optional feature called Author Domain
Signing Practices|ADSP that lets authors that
sign all their mail self-identify, but the
effectiveness of this approach remains
questionable:
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
Working with eBay and PayPal, Google
has effectively utilized DKIM in GMail in
such a way that any e-mail that claims to
be coming from ebay.com or PayPal.com
will not be accepted at all if they cannot be
verified successfully with DKIM. Such
messages won't even appear in the Spam
folder. Heavily phished domains that
deserve such treatment are few in number,
far less than those who publish strict
policies.
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Compatibility
Because it is implemented using DNS
records and an added RFC 5322 header
field, DKIM is compatible with the existing
e-mail infrastructure. In particular, it is
transparent to existing e-mail systems that
lack DKIM support.
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Protocol overhead
DKIM requires cryptographic
checksums to be generated for each
message sent through a mail server,
which results in overhead
(computing)|computational overhead
not otherwise required for e-mail
delivery
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Protocol overhead
1
This facet of DKIM may look similar to
hashcash, except that the receiver side
verification is not a negligible amount of
work.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Weaknesses
1
DKIM signatures do not encompass the message
envelope, which holds the return-path and
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Weaknesses
1
message recipients. Since DKIM does
not attempt to protect against misaddressing, this does not affect its
utility.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Arbitrary forwarding
1
As mentioned above, authentication is not
the same as abuse prevention: DKIM
doesn't prevent a spammer from
composing an ad at a reputable domain so
as to obtain a signed copy of the message
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Content modification
1
in format=flowed the quotes can be legally removed,
which breaks DKIM signatures
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Content modification
1
The OpenDKIM Project organized a data
collection involving 21 mail servers and
millions of messages. Only '92.3% of
observed signatures were successfully
verified', a success rate that drops slightly
(90.5%) when only mailing list traffic is
considered.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
1
These problems are exacerbated when
filtering or relaying software adds
actual changes to a message.
Although legitimate, the footer
addition operated by most Electronic
mailing list|mailing lists and many
central Antivirus software|antivirus
solutions, formally, are exactly the
kind of message tampering that DKIM
has been designed to guard against.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
1
by DKIM.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
Some suggest that these limitations
could be addressed by combining
DKIM with SPF, because SPF (which
breaks when messages are forwarded)
is immune to modifications of the email data, and mailing lists typically
use their own SMTP error address,
also known as Return-Path. In short,
SPF works without problems where
DKIM might run into difficulties, and
1
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - 2012 usage vulnerability
1
[http://www.wired.com/threatlevel/2012/
10/dkim-vulnerability-widespread How
a Google Headhunter’s E-Mail
Unraveled a Massive Net Security Hole]
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
For More Information, Visit:
• https://store.theartofservice.co
m/itil-2011-foundationcomplete-certification-kitfourth-edition-study-guideebook-and-online-course.html
The Art of Service
https://store.theartofservice.com
