DKIM .
-
Upload
jack-bryan -
Category
Documents
-
view
215 -
download
0
Transcript of DKIM .
• DKIM
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1 DKIM checks the message content, deploying digital signatures. Rather
than using digital certificates, the keys for signature-verification are
distributed via the DNS. That way, a message gets associated to a
domain name.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1 A DKIM-compliant ADMD generates one or more pairs of Asymmetric key
algorithm|asymmetric keys, then hands private keys to the signing MTA, and publishes public keys on
the DNS
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1 The purpose of a DKIM-signature is not to assure message integrity. Often, it does
not even guarantee that a message author's data, as per a signed From:
field, has a real name or a valid mailbox. The parts to be signed are chosen so as to identify the message unequivocally. A
valid signature just states that the message did actually flow through a box
operated by that ADMD.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Email authentication - DKIM
1 While intermediate relays usually can add header fields without
breaking existing DKIM-signatures, changing character set, adding a tag
to the subject, adding a footer, or fixing the MIME structure of a
message are likely to break them
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
1 'DomainKeys Identified Mail' ('DKIM') is an email validation system designed to detect email spoofing by providing a mechanism to
allow receiving mail exchangers to check that incoming mail from a domain name|domain is authorized by that domain's
administrators. A digital signature included with the message can be validated by the
recipient using the signer's public-key cryptography|public key published in domain
name system|the DNS.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
1 DKIM is the result of merging 'DomainKeys' and 'Internet Identified Mail'. This merged specification has been the basis for a series of IETF
#External links|standards-track specifications and support
documents which eventually resulted in Internet standard|STD
[http://datatracker.ietf.org/doc/STD76?include_text=1 76].
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim
1 [http://blog.fastmail.fm/2009/08/13/all-outbound-email-now-being-dkim-
signed/ All outbound email now being DKIM signed]
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1 In most cases, the signing module acts on behalf of the 'author'
organization or the originating service provider by inserting a 'DKIM-
Signature:' header field
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1 DKIM is independent of Simple Mail Transfer Protocol (SMTP) routing aspects in that it operates on the
RFC 5322 message -- the transported mail's header and body -- not the
SMTP envelope defined in RFC 5321. Hence the DKIM signature survives basic relaying across multiple MTAs.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1 DKIM allows the signer to distinguish its legitimate mail stream. It does not directly prevent or disclose abusive
behavior.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Overview
1 This ability to distinguish legitimate mail from potentially forged mail has
benefits for recipients of e-mail as well as senders, and DKIM awareness
is programmed into some e-mail software.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - How it works
1 The DKIM-Signature header field consists of a
list of tag=value parts
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - How it works
1 Note that the DKIM-Signature header field itself is always implicitly included in 'h'.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
1 In September 2011, RFC 6376 merged and updated the latter two documents, while preserving the substance of the DKIM protocol
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
1 DKIM was initially produced by an informal industry consortium and
was then submitted for enhancement and standardization by the IETF DKIM
Working Group, chaired by Barry Leiba and Stephen Farrell, with
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Development
1 Source code development of one common library is led by 'The
OpenDKIM Project', following the most recent protocol additions, and licensing under the BSD licenses#3-clause license (New BSD License)|
New BSD License.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Patent encumbrance
1 DomainKeys is covered by assigned to Yahoo! Inc. For the purpose of the
DKIM IETF Working Group, Yahoo! released the now obsolete DK library
under a dual license scheme: the DomainKeys Patent License
Agreement v1.2, an unsigned version of which can still be found, and GNU General Public License v2.0 (and no
other version).https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Advantages
1 * It allows a great reduction in abuse desk work for DKIM-enabled domains
if e-mail receivers use the DKIM system to identify forged e-mail
messages claiming to be from that domain.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Use with spam filtering
1 However, widespread use of DKIM can prevent spammers from forging
the source address of their messages, a technique they commonly employ today.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
1 DKIM can be useful as an anti-phishing technology. Mailers in
heavily phished domains can sign their mail to show that it is
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
1 genuine. Recipients can take the absence of a valid signature on mail from those domains to be an indication that the mail is probably forged. The best way to determine the set of domains that merit this degree of scrutiny remains an open question; DKIM has an optional feature called Author Domain
Signing Practices|ADSP that lets authors that sign all their mail self-identify, but the effectiveness of this approach remains
questionable:
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Anti-phishing
1 Working with eBay and PayPal, Google has effectively utilized DKIM in GMail in such a
way that any e-mail that claims to be coming from ebay.com or PayPal.com will not be accepted at all if they cannot be verified successfully with DKIM. Such
messages won't even appear in the Spam folder. Heavily phished domains that
deserve such treatment are few in number, far less than those who publish strict
policies.https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Compatibility
1 Because it is implemented using DNS records and an added RFC 5322
header field, DKIM is compatible with the existing e-mail infrastructure. In
particular, it is transparent to existing e-mail systems that lack
DKIM support.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Protocol overhead
1 DKIM requires cryptographic checksums to be generated for each message sent through a mail server,
which results in overhead (computing)|computational overhead
not otherwise required for e-mail delivery
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Protocol overhead
1 This facet of DKIM may look similar to hashcash, except that the receiver
side verification is not a negligible amount of work.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Weaknesses
1 DKIM signatures do not encompass the message envelope, which holds the return-
path and
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Weaknesses
1 message recipients. Since DKIM does not attempt to protect against mis-addressing, this does not affect its
utility.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Arbitrary forwarding
1 As mentioned above, authentication is not the same as abuse prevention:
DKIM doesn't prevent a spammer from composing an ad at a reputable domain so as to obtain a signed copy
of the message
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Content modification
1 in format=flowed the quotes can be legally removed, which breaks DKIM signatures
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Content modification
1 The OpenDKIM Project organized a data collection involving 21 mail
servers and millions of messages. Only '92.3% of observed signatures
were successfully verified', a success rate that drops slightly (90.5%) when only mailing list traffic is considered.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
1 These problems are exacerbated when filtering or relaying software adds actual changes to a message.
Although legitimate, the footer addition operated by most Electronic
mailing list|mailing lists and many central Antivirus software|antivirus solutions, formally, are exactly the
kind of message tampering that DKIM has been designed to guard
against.https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
1 by DKIM.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - Annotations by mailing lists
1 Some suggest that these limitations could be addressed by combining
DKIM with SPF, because SPF (which breaks when messages are
forwarded) is immune to modifications of the e-mail data, and mailing lists typically use their own SMTP error address, also known as Return-Path. In short, SPF works
without problems where DKIM might run into difficulties, and vice versa.
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
Dkim - 2012 usage vulnerability
1 [http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread How a Google
Headhunter’s E-Mail Unraveled a Massive Net Security Hole]
https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
For More Information, Visit:
• https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html
The Art of Servicehttps://store.theartofservice.com