ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] DKIM "blurb"

2007-05-24 06:14:39
from [Wietse Venema] [Permanent Link] 
Like many I was asked to for comments on DKIM after the RFC was
announced.  Below is my simplified, mostly correct, summary.
Feel free to copy, modify, or distribute.

        Wietse

What DKIM is

DKIM (domain keys identified mail) is email authentication technology,
developed in an IETF (internet engineering task force) working
group.  It allows recipients to identify the origin of email more
reliably than by looking at its FROM address.

Where DKIM software runs

Typically DKIM software does not run on end-user systems. Instead,
it runs on mail servers that send and receive mail across the
Internet. For mail within an organization, there may be other ways
to deal with email forgeries.

How DKIM works

With DKIM, a sending mail server stamps outgoing mail with a
cryptographic signature of header and body content; a receiving
server verifies the signature on incoming mail, using a public key
that is stored in the DNS (domain name system) under a sender-specified
domain name. The DKIM signature and other information are stored
in an extra header inside the email message.

What DKIM is not

DKIM is not to be confused with S/MIME or PGP like technologies.
While S/MIME etc. identifies the "user" who sends mail, the DKIM
signature typically identifies the sending mail server or organization.
The mail server operator needs to ensure that it will stamp only
mail from appropriate users (for example, an organization's mail
servers would stamp mail only from users on the organization's own
networks).

What DKIM can/cannot do

DKIM typically allows a recipient to find out if mail from PAYPAL.COM
was sent through a PAYPAL.COM mail server. However, DKIM does not
tell the recipient whether or not REALLY-SECURE-PAYPAL.COM and other
look-alike domains are owned by thieves, and whether mail from those
domains can be trusted when it has a correct DKIM signature.

DKIM as enabler for reputation services

DKIM provides a way to identify email senders more reliably than
by looking at the FROM address.  To decide whether or not a DKIM
signature can be trusted, users need to use "reputation" information,
either information from the user's address book (I have done business
with REALLY-SECURE-PAYPAL.COM before and I trust them) or from
third-party reputation services that are still being developed.

DKIM availability

DKIM support is available for many major mail servers, including
open source mail servers such as Sendmail and Postfix.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-dkim] DKIM "blurb", Wietse Venema <=
Previous by Date:  [ietf-dkim] Re: Adding SMTP client Requirements, Stephen Farrell
Next by Date:  Re: [ietf-dkim] RFC 4871 on DomainKeys Identified Mail (DKIM) Signatures (fwd), Damon
Previous by Thread:  [ietf-dkim] RFC 4870 on Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys) (fwd), John Levine
Next by Thread:  [ietf-dkim] rfc 4871 alternate formats, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]