DKIM

Back up to the Email Category
From AAISP Support Site
Revision as of 14:13, 13 December 2019 by AA-Andrew (talk | contribs) (Created page with "<indicator name="Faults">link=:Category:Email|30px|Back up to the Email Category</indicator> '''Currently being trialled by staff, not available to c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Currently being trialled by staff, not available to customers

What is DKIM?

ALso see SPF Record

DKIM is one of many methods which tries to protect email senders and recipients from spoofing/spam. A domain owner can add DNS records which publish a public key in a specially formatted TXT record. The email server they use for sending email (eg smtp.aa.net.uk) holds the private key and will sign messages and add this signature to the headers of the email.

Other mail servers which receive the email can then inspect the DNS record and the headers to check if it all matches up.

Optionally, further DNS records (DMARC) can be added which declare to these other email servers what should be done with messages that fail the DKIM test - eg, do noting, block or quarantine.

Even if messages are just signed, then this can help them not to be marked as spam by the recipient.

Signing by smtp.aa.net.uk

The A&A email relays, smtp.aa.net.uk, can optionally DKIM sign email that is sent through it.

Host/name: aaisp._domainkey
Type: TXT
Value: "v=DKIM1; t=y; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuloXhiatbx0YnrKgS+UL4tZrxcm1rdIxYqWDrs4aMrsFLM4IiSov0McwnFKFCXmo2zqh06OwcRwyMHe4pM+izxUnsMWCRs8BcaAuBhUM+Vbo6qwp5fWjtswaIgwVgJKwY610wg+qfuKM6o2qKc/Hy9Tj" "H5W8D64cSQ7jPCS5xu8CM4Ty/WG1Q7+cLKD1Y3stusqFEX0RFVkcSsvzHNggbDBlWAQCnGeG2+pOoAnfDqSvFvqASCOdjE9HbOZLcFnQRBDiPhegN3BYNWe6leC3SpjI67JNlhcOXAN2sT9m6bTpVFgQHLCnIY4L6TZx/mbpM0xF59kS9VPpYOtl6nQZCQIDAQAB"

Email will then be signed by the AAISP key.

Testing

There are various ways to test if signing is happening.

Send yourself an email If you send yourself an email, look at the header and you should see a DKIM-Signature: header which will include the signature along with s=aaisp which is the 'Selector we use'.

Send to a gmail account and check the DKIM report If you have access to a gmail account then send an email there, then in the little 3-dot menu in the email click 'Show Original'. You will then see the raw message but also information about SPF/DKIM/DMARC.


DMARC