
DKIM Demystified - 20i
https://www.20i.com/blog/dkim-demystified/
======
ttul
The interesting technology these days is not DKIM but rather DMARC. DKIM
allows you to sign messages so that others know that the message originated
from the owner of the domain. DMARC allows you to express what you want
receivers to do when someone is spoofing your domain.

If you operate your own domain and you are worried about spoofing,
implementing DMARC will put a stop to it with all the major email receivers
(Gmail, Yahoo!, Microsoft, etc.), since they all respect DMARC.

But the really cool thing about DMARC is that it lets you receive feedback
reports from email receivers with copies of these spoofed messages along with
aggregate statistics showing you where spoofed email is originating.

~~~
brigandish
Is there a guide to setting it up you could suggest?

~~~
groovecoder
It's pretty verbose and lengthy, but I recently read the NIST "Trustworthy
Email" publication and it did a great job explaining these technologies -
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain
Message Authentication, Reporting, and Conformance (DMARC) - that are used for
modern email authentication.

[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177r1.pdf)
(PDF obv.)

------
jackweirdy
I’ve run my own mail server for about 5 years, and setting up DKIM was really
the most confusing part. Lots of guides explained “how-to” but not “why”. It
wasn’t really until I updated DNS that I got what it was about. This guide
does a great job of explaining “why”, I wish I could have read it before I got
started.

~~~
nooyurrsdey
Everyone says running your own mail server is not advised. Do you find it
difficult or time consuming? I'd like to try it but I'm worried it's too much
work - what's your setup?

~~~
jjav
Not OP, but also run my own email server, using postfix, since 2012. It is sad
that there is such a widespread belief it is impossible to do unless you're
google. Decentralization of basic internet services helps everyone, so if
you're at all interested and willing to learn, go for it!

There are plenty guides on setting up postfix. Follow them, cross reference a
few, read the docs and use the various free email test sites to sanity check
everything. If you've never done it before, expect to dedicate 2-3 days to
this.

Ongoing maintenance is approximately nothing.

~~~
LeonM
> Ongoing maintenance is approximately nothing.

But don't forget to periodically check the TLS certificate of your SMTP
server. Administrators often forget to renew the certificates, and automated
renewal processes may also break.

I've seen countless examples of SMTP servers with expired certs. The problem
is that you won't notice it, as SMTP will fall back to plain-text
communication if the certificate is invalid. So the server will still work
with an expired cert.

But if you want to do it right, or if you want to adopt MTA-STS, you usually
need to do a bit of regular maintenance on the TLS part.

We've also had some of our users report that an expired cert was hurting their
domain reputation for spam algorithms. We have not been able to verify that,
but it sounds plausible.

~~~
jjav
Let's Encrypt makes this easy to automate and get notified of any problems on
renewal.

------
yrro
Whenever I send mail to a Debian mailing list, I receive notifications of DKIM
policy violations. I've never figured out whether the problem is on my side or
theirs...

[edit] having done a bit more research, I think the problem lies with the BTS:
[https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=754809](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=754809)

~~~
parliament32
The mailing list probably appends a footer that breaks the DKIM signature.
This has been a known issue for basically all mailing lists for quite some
time.

~~~
antsar
Isn't that easily solved by rewriting the From header and re-signing the
email? Send it from:

Some List on behalf of John Sender <list@example.com>

... instead of ...

John Sender <john@other-example.com>

And now the list software can generate its own (valid) DKIM signature.

EDIT: Nevermind, listen to dbqpdb[0] instead. ARC sounds like a better way to
go.

[0]
[https://news.ycombinator.com/item?id=21420732#21422328](https://news.ycombinator.com/item?id=21420732#21422328)

~~~
jraph
But you are right. This is what lists have been doing. They may also set the
X-Original-From or X-Original-Sender headers. Google Groups does it anyway.
ARC will be better than that though, of course.

------
Felz
I don't think this article mentions it, but you should probably rotate your
DKIM keys on a periodic schedule. Consequences for not doing so range from
possible key compromise to losing the United States Presidency.[1]

[1] [https://blog.erratasec.com/2016/10/yes-we-can-validate-
wikil...](https://blog.erratasec.com/2016/10/yes-we-can-validate-wikileaks-
emails.html)

