version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1622985562 host=125.231.60.101 name=DNS.DKIM rev=14 targets=PGP.Intro text=(:title DomainKeys Identified Mail:)%0a%0a!! Introduction%0a%0aDomainKeys Identified Mail (DKIM) is used to detect if an e-mail is spoofed (forged).%0aIt's used to prevent spam and phishing. Signing your mail with DKIM will help%0adetect spam that pretends to come from your domain. It also ensures that your%0aletters pass spam filter checks. Otherwise, letters you send may not end up in the%0ainbox.%0a%0aAn email is signed with a private key. This allows the receiver to check if the email%0acomes from the domain it claims to be from. The receiver looks up the sender's%0apublic key in the domain's DNS record. A valid signature guarantees that the sending%0amail server has access to the private key and that the email body has not been%0atampered with during transit.%0a%0aDKIM, SPF, and DMARC are designed to work together.%0a%0a!! DKIM Header%0a%0aIn our setup, the mail server will sign the message with its private key. Here%0ais what the DKIM header looks like:%0a%0a[@%0aDKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=mail; bh=gVJEBqfjoVwtQhV%0a vV3FHh0UQBW0m9unTpuaaGORFGKI=; h=subject:date:from;%0a d=example.com; b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjg%0a Am5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8jO5O0xMhblyS%0a PbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2tPBa70t9204na8/eOT6N7%0a 8IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5I%0a WREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw8%0a IHJTdENGGL3p7aM1v8wdg==%0a@]%0a%0a|| border=1 width=100%25 class="sortable simpletable"%0a||! Tag ||! Indicates ||! Example ||%0a|| v || version || v=1 ||%0a|| a || algorithm || a=rsa-sha256 ||%0a|| d || domain || d=example.com ||%0a|| s || selector || s=mail ||%0a|| c || canonicalization algorithm || c=simple/simple ||%0a|| h || header fields || h=subject:date:from ||%0a|| bh || body hash || bh=gVJEBqfjoVwtQhVvV3FHh0UQBW0m9unTpuaaGORFGKI= ||%0a|| b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rku\\%0aKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8j\\%0aO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs\\%0a7tS1m8iZo2tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61\\%0at9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5\\%0aIWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR\\%0a2U1ZEQyo7k03KCJbdRVw8IHJTdENGGL3p7aM1v8wdg== ||%0a%0a''Tip'': Many mail clients let you view the mail headers in the email you receive. If you%0adisplay all headers, you can see the DKIM header.%0a%0aA receiving SMTP server will perform a DNS lookup based on the domain name and selector. In the example above, it will look up the TXT record of mail._domainkey.example.com.%0aThis TXT record returned should look like below:%0a%0a[@%0a"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy%0aMwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3%0aGfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"%0a@]%0a%0a!! Security Notes%0a%0aDKIM-signatures can be used to prove that a mail server sent a letter.%0a%0aNote that DKIM does not provide end-to-end integrity. For this, both sender and receiver will need to use [[PGP/intro|PGP]].%0a%0a!! OpenSMTPd and DKIM%0a%0aFor OpenSMTPd to sign its mail with DKIM, you will need to create a public and private%0aDKIM key:%0a%0a[@%0a$ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign%0a$ openssl genrsa -out private.key 1024%0a$ openssl rsa -in private.key -pubout -out public.key%0a$ chmod og-rwx private.key%0a$ chmod og-wx public.key%0a$ chmod u-w public.key private.key%0a$ doas mkdir /etc/mail/dkim%0a$ doas mv private.key public.key /etc/mail/dkim/%0a$ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a@]%0a%0aWe then create a DKIM record by taking the public key, removing the first and last%0aline, then joining all the lines together:%0a%0a[@%0a$ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a@]%0a%0aRunning this command on public.key should produce text like the following:%0a%0a[@%0aMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB%0a@]%0a%0aThis key should go into the DKIM DNS records:%0a%0a[@%0a_adsp._domainkey 86400 IN TXT "dkim=discardable;"%0amail._domainkey 86400 IN TXT "k=rsa; t=s; p=%3cpublic key>"%0a@]%0a%0aThe final result should look like this:%0a%0a[@%0a_adsp._domainkey 86400 IN TXT "dkim=discardable;"%0amail._domainkey 86400 IN TXT "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB"%0a@]%0a time=1631203235 title=DomainKeys Identified Mail author:1631203235=jrmu diff:1631203235:1624860938:=75a76%0a> $ doas groupadd -v _dkimsign%0a host:1631203235=125.231.60.101 author:1624860938=jrmu diff:1624860938:1623139699:=77c77%0a%3c $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _smtpd _dkimsign%0a---%0a> $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _mail _dkimsign%0a85c85%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/dkim/%0a---%0a> $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a host:1624860938=38.81.163.143 author:1623139699=jrmu diff:1623139699:1623139647:=44,50c44,48%0a%3c || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rku\\%0a%3c KYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8j\\%0a%3c O5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs\\%0a%3c 7tS1m8iZo2tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61\\%0a%3c t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5\\%0a%3c IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR\\%0a%3c 2U1ZEQyo7k03KCJbdRVw8IHJTdENGGL3p7aM1v8wdg== ||%0a---%0a> || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ih\\%0a> dcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2\\%0a> tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6Jih\\%0a> bUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw\\%0a> 8IHJTdENGGL3p7aM1v8wdg== ||%0a host:1623139699=38.81.163.143 author:1623139647=jrmu diff:1623139647:1623139560:=44,47c44,47%0a%3c || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ih\\%0a%3c dcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2\\%0a%3c tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6Jih\\%0a%3c bUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw\\%0a---%0a> || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ih%0a> dcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2%0a> tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6Jih%0a> bUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw%0a host:1623139647=38.81.163.143 author:1623139560=jrmu diff:1623139560:1623139495:=44,48c44%0a%3c || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ih%0a%3c dcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2%0a%3c tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6Jih%0a%3c bUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw%0a%3c 8IHJTdENGGL3p7aM1v8wdg== ||%0a---%0a> || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw8IHJTdENGGL3p7aM1v8wdg== ||%0a host:1623139560=38.81.163.143 author:1623139495=jrmu diff:1623139495:1623139427:=36c36%0a%3c ||! Tag ||! Indicates ||! Example ||%0a---%0a> ||! Tag ||! Indicates ||! Example ||! Meaning ||%0a host:1623139495=38.81.163.143 author:1623139427=jrmu diff:1623139427:1623139341:=24d23%0a%3c [@%0a33,36c32,33%0a%3c @]%0a%3c %0a%3c || border=1 width=100%25 class="sortable simpletable"%0a%3c ||! Tag ||! Indicates ||! Example ||! Meaning ||%0a---%0a> %0a> || Tag || Indicates || Example || Meaning ||%0a52d48%0a%3c [@%0a56d51%0a%3c @]%0a host:1623139427=38.81.163.143 author:1623139341=jrmu diff:1623139341:1622989300:=1,61c1%0a%3c (:title DomainKeys Identified Mail:)%0a%3c %0a%3c !! Introduction%0a%3c %0a%3c DomainKeys Identified Mail (DKIM) is used to detect if an e-mail is spoofed (forged).%0a%3c It's used to prevent spam and phishing. Signing your mail with DKIM will help%0a%3c detect spam that pretends to come from your domain. It also ensures that your%0a%3c letters pass spam filter checks. Otherwise, letters you send may not end up in the%0a%3c inbox.%0a%3c %0a%3c An email is signed with a private key. This allows the receiver to check if the email%0a%3c comes from the domain it claims to be from. The receiver looks up the sender's%0a%3c public key in the domain's DNS record. A valid signature guarantees that the sending%0a%3c mail server has access to the private key and that the email body has not been%0a%3c tampered with during transit.%0a%3c %0a%3c DKIM, SPF, and DMARC are designed to work together.%0a%3c %0a%3c !! DKIM Header%0a%3c %0a%3c In our setup, the mail server will sign the message with its private key. Here%0a%3c is what the DKIM header looks like:%0a%3c %0a%3c DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=mail; bh=gVJEBqfjoVwtQhV%0a%3c vV3FHh0UQBW0m9unTpuaaGORFGKI=; h=subject:date:from;%0a%3c d=example.com; b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjg%0a%3c Am5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8jO5O0xMhblyS%0a%3c PbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2tPBa70t9204na8/eOT6N7%0a%3c 8IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5I%0a%3c WREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw8%0a%3c IHJTdENGGL3p7aM1v8wdg==%0a%3c %0a%3c || Tag || Indicates || Example || Meaning ||%0a%3c || v || version || v=1 ||%0a%3c || a || algorithm || a=rsa-sha256 ||%0a%3c || d || domain || d=example.com ||%0a%3c || s || selector || s=mail ||%0a%3c || c || canonicalization algorithm || c=simple/simple ||%0a%3c || h || header fields || h=subject:date:from ||%0a%3c || bh || body hash || bh=gVJEBqfjoVwtQhVvV3FHh0UQBW0m9unTpuaaGORFGKI= ||%0a%3c || b || signature || b=Jv/9zpB2AJGosO4/uYlZxFEm1UFOTy56JBi/nhsjgAm5Qe+rkuKYru5mSqvP01ii/sQRI4exNbG/S8ihdcEXsr5fr8yK4IvLkY8jO5O0xMhblySPbFGMw7SW2AwLWu95OyHK5teZPzE/SS5U39Zlqs7tS1m8iZo2tPBa70t9204na8/eOT6N78IzNIfRHJfF4dNGVX61t9xknkcJrJdC6npO0l4MVTky66safTbcCjlM6JihbUd5j4uOU5IWREE02CLQKWg5c/UnjQQ96Dt308f2RvxeWA6P8hxsjD/FLDIR2U1ZEQyo7k03KCJbdRVw8IHJTdENGGL3p7aM1v8wdg== ||%0a%3c %0a%3c ''Tip'': Many mail clients let you view the mail headers in the email you receive. If you%0a%3c display all headers, you can see the DKIM header.%0a%3c %0a%3c A receiving SMTP server will perform a DNS lookup based on the domain name and selector. In the example above, it will look up the TXT record of mail._domainkey.example.com.%0a%3c This TXT record returned should look like below:%0a%3c %0a%3c "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy%0a%3c MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3%0a%3c GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"%0a%3c %0a%3c !! Security Notes%0a%3c %0a%3c DKIM-signatures can be used to prove that a mail server sent a letter.%0a%3c %0a%3c Note that DKIM does not provide end-to-end integrity. For this, both sender and receiver will need to use [[PGP/intro|PGP]].%0a%3c %0a%3c !! OpenSMTPd and DKIM%0a%3c %0a%3c For OpenSMTPd to sign its mail with DKIM, you will need to create a public and private%0a---%0a> For OpenSMTP to sign its mail with DKIM, you will need to create a public and private%0a host:1623139341=38.81.163.143 author:1622989300=jrmu diff:1622989300:1622988973:=39a40%0a> $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a host:1622989300=38.81.163.143 author:1622988973=jrmu diff:1622988973:1622988596:=30,37c30,31%0a%3c This key should go into the DKIM DNS records:%0a%3c %0a%3c [@%0a%3c _adsp._domainkey 86400 IN TXT "dkim=discardable;"%0a%3c mail._domainkey 86400 IN TXT "k=rsa; t=s; p=%3cpublic key>"%0a%3c @]%0a%3c %0a%3c The final result should look like this:%0a---%0a> Put this in the DKIM DNS record:%0a> %0a host:1622988973=38.81.163.143 author:1622988596=jrmu diff:1622988596:1622987041:=21,35c21%0a%3c $ doas cat /etc/mail/dkim/public.key | awk '/-----/{if (NR!=1)print "";next}{printf $0}' -%0a%3c @]%0a%3c %0a%3c Running this command on public.key should produce text like the following:%0a%3c %0a%3c [@%0a%3c MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB%0a%3c @]%0a%3c %0a%3c Put this in the DKIM DNS record:%0a%3c %0a%3c [@%0a%3c $ORIGIN _domainkey.jrmu.coconut.ircnow.org.%0a%3c _adsp._domainkey 86400 IN TXT "dkim=discardable;"%0a%3c mail._domainkey 86400 IN TXT "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmseF9Dm8Dx1LtmLMD56d628JBNaQus8aEcdYYzvBVQ4rhetZzv/ZMafjTEf2RLoOQ+pb7pqL4G86lCZSF+Eeu2ODWQQGYqGVV0xUK5QJSnsGF5UKKscrxmTHSPPtoAQJt25fxNd3PtvH2ZonAGkZkntk+u6Wn5xxlI9hMOVxLUwIDAQAB"%0a---%0a> %0a host:1622988596=38.81.163.143 author:1622987041=jrmu diff:1622987041:1622985957:=17,22c17%0a%3c We then create a DKIM record by taking the public key, removing the first and last%0a%3c line, then joining all the lines together:%0a%3c %0a%3c [@%0a%3c %0a%3c @]%0a---%0a> We then create a DKIM record using that public key:%0a host:1622987041=38.81.163.143 author:1622985957=jrmu diff:1622985957:1622985562:=1,3d0%0a%3c For OpenSMTP to sign its mail with DKIM, you will need to create a public and private%0a%3c DKIM key:%0a%3c %0a16,17d12%0a%3c %0a%3c We then create a DKIM record using that public key:%0a host:1622985957=38.81.163.143 author:1622985562=jrmu diff:1622985562:1622985562:=1,12d0%0a%3c [@%0a%3c $ doas groupadd -v _dkimsign%0a%3c $ doas useradd -s /sbin/nologin -d /var/empty -g _dkimsign -G _mail _dkimsign%0a%3c $ openssl genrsa -out private.key 1024%0a%3c $ openssl rsa -in private.key -pubout -out public.key%0a%3c $ chmod og-rwx private.key%0a%3c $ chmod og-wx public.key%0a%3c $ chmod u-w public.key private.key%0a%3c $ doas mkdir /etc/mail/dkim%0a%3c $ doas mv private.key public.key /etc/mail/dkim/%0a%3c $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a%3c @]%0a host:1622985562=38.81.163.143