Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-01-29 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How to Debug DKIM

Published: 2014-01-29
Last Updated: 2014-01-29 20:28:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isn't as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header.

The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For example, you may have different keys, and the wrong key was used, which is one of the trickier issues to debug.

Lets start with the basics: first make sure the e-mail you send is actually signed. Look for the "DKIM-Signature" header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dshield.org;

s=default; t=1391023518;

bh=wu4x1KKZCyCgkXxuZDq++7322im11hlsCET+KxQ9+48=;

h=To:Subject:Date:From;

b=wVZQsIvZQe0i2YuhFNeUrpfet0wa7cIcwZ8LR9izWuF1E1NDQmpKUImCHO/RlPgYJ

wruW1IunQWRXtd4MQMuUZNsU1rGFzsYXoC4T6rVjHonQtQgoFSoEfo90KtZTC2riev

There are a couple of important pieces to look for:

  • d=dshield.org - this is the domain for which the signature is good for
  • s=default - this can be used to define different keys.

Using these two values, we can retrieve the public keys from DNS:

$ dig +short TXT default._domainkey.dshield.org

"v=DKIM1\; k=rsa\; p=MIGfMA0G...AQAB" 

At this point we know which key was used to sign the headers, and we got the public key to verify it. You probably already spotted the algorithm used to sign the header: "a=rsa-sha256". 

DKIM only signs specific headers. In our case, we signed the To, Subject, Date and From headers which can be learned from the "h=..." field above.

For the sample e-mail above, these headers are:

To: jullrich@euclidian.com

Subject: Testing DKIM

Date: Wed, 29 Jan 2014 19:25:18 +0000 (UTC)

From: jullrich@dshield.org (Johannes Ullrich)

 
Luckily, we don't have to do all the verification "by hand". Instead, we can use the "opendkim-testmsg" tool. We jst pass the raw e-mail message to it.
The tool is pretty basic, in that it does not provide any output if the verification succeeds. The tool will retrieve the key automatically.
 
For example:
 
$ opendkim-testmsg  < TestingDKIM.eml
$
 
On failure, you will get a generic error:
 
$ opendkim-testmsg  < TestingDKIM.eml
opendkim-testmsg: dkim_eom(): Bad signature
 
If you do implement DKIM, I highly recommend you also configure reporting addresses via DMARC. This way, some larger ISPs will send you reports if the DKIM verification fails.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
0 comment(s)
Diary Archives