DKIM vs Domain Keys

Question

I've configured DKIM (milter-dkim) on my mail server. Incoming e-mail sent from my domain now containts the following header:

X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail;
 t=1281907022; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
 h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
  Content-Transfer-Encoding;
 b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
  hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic

1.) So I guess that confirms that I have DKIM setup correctly, right?

But when I look at a message coming in from Google, I see:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
   ...snip...
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
   ...snip...

2.) What is the relationship of DomainKey-Signature vs DKIM-Signature?

coredump · Answer 1 · 2010-08-15T22:49:46.983

7

They are two separate things. DomainKeys is older, created by Yahoo!. DKIM is DomainKeys + Identified Internet Mail (another scheme to verify emails created by Cisco).

The headers are compatible, apparently, but some newer systems don't check DKIM, so you have to generate both to make everyone happy.

edited Aug 15 '10 at 22:49

answered Aug 15 '10 at 22:35

coredump

12,573
2
34
53

score 4 · Accepted Answer · answered Aug 15 '10 at 22:37

4

DKIM is a newer version of the DomainKeys protocol. If you sign your mail via DKIM, you should not need to implement DomainKeys.

answered Aug 15 '10 at 22:37

Borealid

240
1
3

Ah OK... So I wonder then, why Google/Facebook, et al. do both? is it just a legacy thing? – NinjaCat Aug 15 '10 at 22:39
3

They are quite different and distinct. DKIM is generally considered the successor to Domain Keys but using DKIM does NOT mean you don't need Domain Keys, as the latter is still being checked by a great many systems. Far better to implement both if possible. – John Gardeniers Aug 20 '10 at 01:19

score 3 · Answer 3 · answered Aug 15 '10 at 22:42

3

To answer your first question, it means that your outgoing mail is being signed, but you must have the corresponding DNS records in order for receiving mail servers to validate it.

When it's all setup, if you check your headers for a message that's come in, your mail server should provide some indication of it's success. If you have a Google account, it will display the results under the 'Authentication-Results' header. If it's setup correctly, you should see the following:

Authentication-Results: mx.google.com; spf=pass (google.com: domain of
root@example.com designates 1.1.1.1 as permitted sender)
smtp.mail=root@example.com; dkim=pass header.i=@example.com

Remember to setup SPF records too, they are more widely checked than DKIM/DomainKeys.

Question 2, DKIM is the newer implementation. If you have the ability to use DKIM, use it over DomainKeys.

answered Aug 15 '10 at 22:42

vmfarms

3,077
19
17

I have SPF working perfectly... Oh wait... I don't see the "Authentication-Results:" part in the headers at all for DKIM... – NinjaCat Aug 15 '10 at 22:51
1

Are you checking the headers from a Google account? "Authentication-Results" is a custom Google header. Other providers may or may not show the same headers. If you have a Google account, send a test message from your server to it, and click on the little drop down arrow beside "Reply" and go to "Show Original". You should see that header, even if you just have SPF records. – vmfarms Aug 15 '10 at 23:00
Yeah, I am looking via gmail, and I don't see anything about teh authentication results. I am going to create a new question now, since we're getting off topic... b/c this is more of an issue than my original question. – NinjaCat Aug 15 '10 at 23:30

DKIM vs Domain Keys

3 Answers3