DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isn't as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header. The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For example, you may have different keys, and the wrong key was used, which is one of the trickier issues to debug. Lets start with the basics: first make sure the e-mail you send is actually signed. Look for the "DKIM-Signature" header:
There are a couple of important pieces to look for:
Using these two values, we can retrieve the public keys from DNS:
$ dig +short TXT default._domainkey.dshield.org
At this point we know which key was used to sign the headers, and we got the public key to verify it. You probably already spotted the algorithm used to sign the header: "a=rsa-sha256". DKIM only signs specific headers. In our case, we signed the To, Subject, Date and From headers which can be learned from the "h=..." field above. For the sample e-mail above, these headers are: To: jullrich@euclidian.com Subject: Testing DKIM Date: Wed, 29 Jan 2014 19:25:18 +0000 (UTC) From: jullrich@dshield.org (Johannes Ullrich)
Luckily, we don't have to do all the verification "by hand". Instead, we can use the "opendkim-testmsg" tool. We jst pass the raw e-mail message to it.
The tool is pretty basic, in that it does not provide any output if the verification succeeds. The tool will retrieve the key automatically.
For example:
$ opendkim-testmsg < TestingDKIM.eml
$
On failure, you will get a generic error:
$ opendkim-testmsg < TestingDKIM.eml
opendkim-testmsg: dkim_eom(): Bad signature
If you do implement DKIM, I highly recommend you also configure reporting addresses via DMARC. This way, some larger ISPs will send you reports if the DKIM verification fails.
------ |
Johannes 4045 Posts ISC Handler Jan 29th 2014 |
Thread locked Subscribe |
Jan 29th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!