Description of DKIM.

DKIM is a method that allows you to check whether an e-mail received has been sent by an authorized sender. The principle of operation consists in the operation of the keys signing the message and reading the correctness of their signing on the recipient's MTA. The sender generates the private key and the public key.

The private key is stored on the sender's server and the sending MTA uses it to sign the sent message. The signature applies to selected parts of the message, e.g. the sender's domain, subject of the message, etc. The signature is made by MTA at the time of accepting the message for sending. The message sent to the recipient already contains information encrypted with the DKIM private key.

The sender places a record with the DKIM public key in his domain zone. This key is used to decrypt the information saved by the sending MTA. The receiving MTA reads the value of this key, decrypts the information contained in the message header and verifies the correctness of the information. The DKIM public key placed in the sender's DNS zone has the form

selector._domainkey.domain.tld.

sign:

• selector: a string identifying the key for the domain. The domain can have multiple keys.
• _domainkey: string of characters encoded in Base64, containing the public key of the domain.

The sending sender MTA signs the message using the private key and places the information in the message header. The receiving MTA reads this information and generates a message sender authenticity check using the sender's DNS key (selector._domainkey)

The receiving MTA may take action for the DKIM signature, e.g. for MTA Exim these are:

• none: no DKIM signature
• pass: DKIM ok
• fail: DKIM invalid
• invalid: verification error

and take the appropriate action (e.g. rejection of the message)
Additional information contained in DKIM is its status: test or not.

Sample rules DKIM for MTA Exim.

First check Exim compilation:

server# exim -bV
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF DMARC TCP_Fast_Open Experimental_SRS

acl_smtp_dkim:

### DENY #####################################################################################################################################
#Rejection of incoming mail when DKIM record is invalid or fail and DKIM is not tested
      deny
            condition           = ${if  eq{$dkim_key_testing}{0}}
            dkim_status         = invalid
            log_message         = DKIM Invalid: signer=$dkim_cur_signer status=$dkim_verify_status reason=$dkim_verify_reason
            message             = DKIM Invalid: signer=$dkim_cur_signer\nstatus=$dkim_verify_status\nreason=$dkim_verify_reason, test=$dkim_key_testing

      deny
            condition           = ${if  eq{$dkim_key_testing}{0}}
            dkim_status         = fail
            log_message         = DKIM: Failed. reason=$dkim_verify_reason
            message             = DKIM Invalid: signer=$dkim_cur_signer\nstatus=$dkim_verify_status\nreason=$dkim_verify_reason, test=$dkim_key_testing

### WARN #####################################################################################################################################
#Permission to accept mail when DKIM is incorrect but in the test phase
      warn
	    condition           = ${if  eq{$dkim_key_testing}{1}}
            dkim_status         = invalid
            add_header          = X-DKIM: status=$dkim_verify_status signer=$dkim_cur_signer reason=$dkim_verify_reason, test=$dkim_key_testing
            log_message         = DKIM Invalid: signer=$dkim_cur_signer status=$dkim_verify_status reason=$dkim_verify_reason
            message             = DKIM Invalid: signer=$dkim_cur_signer\nstatus=$dkim_verify_status\nreason=$dkim_verify_reason, test=$dkim_key_testing
            delay               = 30s

     warn
            condition           = ${if  eq{$dkim_key_testing}{1}}
            dkim_status         = fail
            add_header          = X-DKIM: status=$dkim_verify_status signer=$dkim_cur_signer reason=$dkim_verify_reason, test=$dkim_key_testing
            log_message         = DKIM: Failed. reason=$dkim_verify_reason
            message             = DKIM Invalid: signer=$dkim_cur_signer\nstatus=$dkim_verify_status\nreason=$dkim_verify_reason, test=$dkim_key_testing
            delay               = 30s

#DKIM ok, accept
    warn
	    dkim_status         = pass
            add_header          = X-DKIM: status=$dkim_verify_status signer=$dkim_cur_signer

#The penalty for not having a DKIM is delaying mail acceptance
    warn
            dkim_status         = none
            add_header          = X-DKIM: status=$dkim_verify_status signer=$dkim_cur_signer reason=$dkim_verify_reason
            delay               = 60s
#
    

Implementing DKIM rules on your own mail server will make our messages credible to the recipient as authentic, and at the same time will allow the recipient to apply their own policy of treating fake messages generated by impersonating our domains. The effect of this will be to eliminate false messages sent without our knowledge by unauthorized, foreign MTAs.

• HOW DOES THE RBL SERVER WORK