2

S/Mime can be used to encrypt email and it can also be used by the sender to provide his digital signature so that the recipient is able to confirm the authenticity of the sender.

Why then do we still need to have DKIM implemented on top of S/Mime in certain cases. I do understand that DKIM is used to authenticate the domain but isn't a digital signature of the user via s/mime a more stronger form of authentication?

I would also appreciate if as an answer someone can explain the flow of how DKIM can be implemented on top pf S/mime (The order in which the encryption and decryption steps happens).

Akash sharma
  • 23
  • 1
  • 4

1 Answers1

4

S/MIME and DKIM are totally independent from each other. S/MIME signature and encryption is applied by the sender (end user) while DKIM signatures are applied by the mail server of the senders domain. Similar DKIM is usually verified by the mail server of the receiving domain while S/MIME signature and encryption are verified by the final recipient - the recipients mail server usually has not the necessary information anyway.

Additionally DKIM (in connection with DMARC) is used to detect spoofing of the senders domain only, while S/MIME signatures are used to verify the actual sender and not only the domain. And S/MIME offers encryption while DKIM does not.

It is true that a valid S/MIME signature provides a stronger proof of the sender than a DKIM signature. But there is no actual harm in using DKIM in addition to S/MIME.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thankyou Steffen for your clear reply. I have been trying to learn about s/mime and dkim in the past few days and do understand public key encryption, digital certificates, etc. I read that dkim uses the body and header of the mail to generate a hash. But I had questions like what happens if s/mime has been applied to the mail before it is processed by the mailing server to add the dkim signature? It is becoming a little hard to connect all the things together to get the complete picture. Would it be possible for you to talk about one end to end flow involving both Dkim and s/mime. – Akash sharma Sep 17 '19 at 10:33
  • 1
    @Akashsharma: An end to end flow involving both S/MIME and DKIM is nothing special. S/MIME is not aware of DKIM and DKIM is not aware of S/MIME, so this is a simple combination of the S/MIME and DKIM flows by itself. – Steffen Ullrich Sep 17 '19 at 10:49
  • Oh ok. But DKIM uses the email body and header to generate hashes which it then puts into the DKIM header. How does it access the header and the body. Aren't they already encrypted by smime already? Does it hash the encrypted version of the body and the header? – Akash sharma Sep 17 '19 at 13:17
  • @Akashsharma: S/MIME results in a normal MIME mail with header and body. DKIM accesses these and not the original header and body (before encryption). – Steffen Ullrich Sep 17 '19 at 13:37
  • @SteffenUllirich Thank you very much. Really appreciate your help. – Akash sharma Sep 18 '19 at 03:51