[Flounder] Email tutorial: DKIM

DL Neil NZOSS at etelligence.info
Wed Apr 13 14:38:49 AEST 2022 

Russell's tutorial, from our last meeting is incomplete when it comes to
DKIM-signing. However, I found a number of alternatives to (compare and)
follow. Where is there reliable information/tutorial about the use of
header keys?


1 The state of the nation, um, server

Postfix+OpenDKIM is currently pushing-out:

	v=1;
	a=rsa-sha256;
	c=relaxed/simple;
	d=DOMAIN_NAME;  -- which varies by domain
	s=...;		-- varies
	t=...;
	bh=...;
	h=Date:From:Subject:To:From;
	b=...;


2 Results

According to email-headers received, these settings are reported twice
in message-headers. Should they? Why?


3 Differences between two DKIM-Signature reports

The differences between the two are in the t= and b= clauses (one
assumes if the time is different, the hash will be also). Is that it?


4 DNS settings

The domain dns TXT records supply:

	"
	v=DKIM1;
	k=rsa;
	p=...		-- varies
	"

Why does the TXT record say "k=rsa" when the email headers report
"a=rsa-sha256". Are they reporting the same value, and if so, why the
different one-character key-names?


5 Which header fields to sign?

Searching-about, I failed to find any place which discusses the
where/why/how of altering the default Signature Content (listed above).
Do you have a reference please?


6 How to alter them?

In fact, that failure compounded by a lack of any resource saying that
this should be accomplished in the dmarc TXT record of the domain's DNS.
Is it not possible to alter the default settings at the server-level
(rather than amending TXT records for every single domain)?


7 Which ones to use?

The part that bugs me, is that one could go to a lot of trouble to
set-up DKIM to be 'nice and pretty', but as soon as a message is
submitted to a mailing-list/reflector things can become very messed-up,
eg the message is no-longer coming from my domain, and likely has had
list-admin headers added. There was a lot of discussion/complaint about
this, back when DKIM was being introduced (or imposed by big, ugly,
players). However, again, I failed to find something up-to-date which
ensures that we can all (now) live in peace. Are you aware of anything
helpful, please?


8 In-lieu of advice, went looking [for trouble]

Drawing-a-blank on the web, left me inspecting the headers of
email-messages received. This revealed that whilst only a
comparative-few use DKIM, there was quite a variation in which headers
people have set (I could create a spreadsheet to illustrate this,
starting from the plain-vanilla 'Recommendations' from RFC 6376 5.4
"Determine the Header Fields to Sign"). What is an innocent, little, boy
supposed to do?


9 DNS experiment

Experimenting with the DKIM TXT record for one of my domains, inside the
quotation-marks, I added:

	h=In-Reply-To:Sender:Reply-To;

Running https://www.dmarcanalyzer.com/dkim/dkim-checker produces the
result "This seems to be a valid DKIM Record".

Sending to ProtonMail, they report Authentication-Results: ... dkim=fail
... reason="unknown key hash" (0-bit key), which is rather worrying. Do
you think it because I've been too eager/fast for dns propagation?


10 Comparisons

Running https://www.dmarcanalyzer.com/dkim/dkim-checker to compare two
domains:

- an 'untouched' domain's DNS-TXT was reported to have "Declared tags"
v, p, and k. Meantime, "h" was described amongst the "Defaulted tags"
with an explanation of what the tag means, but not what the
default-values are.

- the 'augmented' DNS-TXT was reported to have h amongst the "Declared
tags" with values of "In-Reply-To:Sender:Reply-To", as you would expect.
Again, no comment about any other values, or those provided by-default.

Sending a message to ProtonMail and looking at headers, messages from
the domain augmented with "h=In-Reply-To:Sender:Reply-To;" are still
showing:

	h=Date:From:Subject:To:From;

(in both cases).

Does this suggest that Postfix/OpenDKIM is not looking at the domain's
DNS-TXT record when it creates the hash? Thus, is some corresponding
setting required somewhere within the server-config?


Phew!
Isn't this email-admin stuff 'fun'?
-- 
Regards,
=dn

More information about the Flounder mailing list