Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

04 Jul 2009

Three myths about DKIM Email

The DKIM standard has been out for two years now, and we're starting to see some adoption by large mail systems, but there's still a lot of misunderstanding about what DKIM does and doesn't do.

A DKIM signature means a message isn't spam

Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. If you get a message with a valid DKIM signature, all you know is that the the message you got was the same one that the signer signed, since the checksum validates, and that the domain's management authorized the signature, since there was a validation key in the domain's DNS. The value of DKIM comes when you have a stream of messages signed by the same domain. If a domain has earned a reputation for signing good messages, for any version of "good" you like, it's reasonable to expect subsequent signed messages to be good, too, and vice versa. The signature is only useful as a handle to recognize a message as part of a group of signed mail.

A DKIM signature means the header information is "real"

Nope, it just means that the message you got was the message they signed. Once again, signers can sign anything they want. Even if the signing domain is the same as the domain part of the From: address, sometimes called a "first party" signature, there's still no guarantee about the From: line other than that the one you see is the one they signed.

Some signing domains may make a policy of only signing mail where the From: address is verified, perhaps by knowing that the original sender logged in with credentials linked to that address, but signing policy is deliberately outside the scope of the DKIM spec.

DKIM doesn't work with mailing lists

There's two kinds of lists, announcement lists where all the mail is from one sender, and discussion lists where subscribers send in messages that are resent to all of the list members. In both cases, the sensible thing for the list manager to do is to sign the mail from the list.

The confusion arises from the possibility that mail sent to a discussion list could already have a DKIM signature applied by the original sender's system. In most cases, mailing list software makes enough changes to messages that the original DKIM signature won't validate any more. Common changes such as adding the list name to the subject line, or adding headers or footers to the mail, particularly if they're edited into the HTML code of formatted mail, would break any existing signature. A few old-fashioned list management programs (often used for technical discussion lists, and hence disproportionately popular among the members of the DKIM group) sometimes change messages so little that list recipients could still verify the incoming signature as well as the signature applied by the list, so a few people have claimed that this is how to tell if mail sent to the list is "forged", and that list software should all stop modifying messages so all signatures pass through.

This shows a fairly basic misunderstanding of what mailing lists do. As opposed to forwarders, which blindly forward incoming mail from one address to another and are just a transit point, a mailing list is really both a destination for mail submitted to the list, and the sender of list mail. During the 40 years that there have been e-mail discussion lists, list managers have developed a wide variety of mechanical and manual means to decide what submitted mail is passed through to the list, forged mail to mailing lists has never been a significant problem, and there's no reason to think that will change just because some of the mail has signatures.

People subscribe to mailing lists because they want mail from the list, and nobody I know does spam filtering on mail that they already know is from lists they've subscribed to. (We may filter out mail from chronic bozos, but that's not spam filtering, that's just looking for their addresses on the From: line.) DKIM can be useful to list managers using incoming signatures as one of the criteria to recognize mail from subscribers and help decide what gets passed through to the list. It's also useful to list recipients to help recognize mail from the list using the list's signature. Both ways, far from not working with lists, DKIM makes list management and use easier and more reliable.

posted at: 21:17 :: permanent link to this entry :: 6 comments
posted at: 21:17 ::
permanent link to this entry :: 6 comments

comments...        (Jump to the end to add your own comment)

DKIM, lists and large domains
How do you tell the difference between DKIM signature, particularly ADSP, invalid verifications and email list breakage on a many thousand user domain where you don't keep track of every user's mail list subscription habits? What DKIM filtering options should I use?

(by daniel 29 Sep 2009 08:27)

gfe consultants
"People subscribe to mailing lists because they want mail from the list, and nobody I know does spam filtering on mail that they already know is from lists they've subscribed to. (We may filter out mail from "

i have to strongly disagree with this. the bayesians generally score mail from lists as very likely spam for several reasons just to name 2

i. not a valid from address ii. a large list of recipients

since the spam filters and the list servers are not cooperating software (maybe not on the same domain/machine etc) one ends up whitelisting these lists manually (or with wildcards if groups hoster trustworthy).

i also infer you think a mail forwarder should sign mail recieved before sending on. a problem with this is the forwardee then might reply directly to the orginal sender from that forwarded machine domain etc. which no matter how good the rep of the forwarder would look suspicious ;

and in fact i saw many people drop those replies (no bounce) until i included the end domain into the forwarding domain's SPF record. Hence forwarder's BBW.

So as a dkim consultant i humbly admit i don't eat my own cooking (sometimes)

George Elgin owner gfe consultants

(by george elgin 13 Dec 2009 23:33)

self-explanatory, no comment.

(by John R. Scott 27 Jan 2010 13:57)

How does SMTP server receive public key
Regarding DKIM, the receiving SMTP server uses the name of the domain from which the mail originated, the string "_domainkey", and a selector from the DKIM-Signature field to perform a DNS lookup. The returned data includes the domain's public key. How does SMTP server receive public key?

(by Ashish 26 Apr 2010 11:53)

spoofing question
I've just started receiving spam signed by my own personal domain. I'd appreciate any comments you have about this. Is it a major concern, or just a new trend in email spoofing?

(by Andrew Harris 07 Oct 2011 18:58)

How do I get rid of Domain Keys I can't access any of my information that I sent to my e-mail. there is a small key that appears when I try to retrieve my work, How do I get rid of this

(by Adele 27 Oct 2012 00:27)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Chart of Legal Actions taken under CASL
13 days ago

A keen grasp of the obvious
A little musical history
236 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2014 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.