Home / Blogs

Three Myths About DKIM

The DKIM standard has been out for two years now, and we’re starting to see some adoption by large mail systems, but there’s still a lot of misunderstanding about what DKIM does and doesn’t do.

A DKIM signature means a message isn’t spam

Any a mail system can add a signatures to the messages it handles, and spammers can sign their mail, too. A DKIM signature contains, stripped down to its basics, the domain of the signer and a checksum of the message. If you get a message with a valid DKIM signature, all you know is that the the message you got was the same one that the signer signed, since the checksum validates, and that the domain’s management authorized the signature, since there was a validation key in the domain’s DNS. The value of DKIM comes when you have a stream of messages signed by the same domain. If a domain has earned a reputation for signing good messages, for any version of “good” you like, it’s reasonable to expect subsequent signed messages to be good, too, and vice versa. The signature is only useful as a handle to recognize a message as part of a group of signed mail.

A DKIM signature means the header information is “real”

Nope, it just means that the message you got was the message they signed. Once again, signers can sign anything they want. Even if the signing domain is the same as the domain part of the From: address, sometimes called a “first party” signature, there’s still no guarantee about the From: line other than that the one you see is the one they signed.

Some signing domains may make a policy of only signing mail where the From: address is verified, perhaps by knowing that the original sender logged in with credentials linked to that address, but signing policy is deliberately outside the scope of the DKIM spec.

DKIM doesn’t work with mailing lists

There’s two kinds of lists, announcement lists where all the mail is from one sender, and discussion lists where subscribers send in messages that are resent to all of the list members. In both cases, the sensible thing for the list manager to do is to sign the mail from the list.

The confusion arises from the possibility that mail sent to a discussion list could already have a DKIM signature applied by the original sender’s system. In most cases, mailing list software makes enough changes to messages that the original DKIM signature won’t validate any more. Common changes such as adding the list name to the subject line, or adding headers or footers to the mail, particularly if they’re edited into the HTML code of formatted mail, would break any existing signature. A few old-fashioned list management programs (often used for technical discussion lists, and hence disproportionately popular among the members of the DKIM group) sometimes change messages so little that list recipients could still verify the incoming signature as well as the signature applied by the list, so a few people have claimed that this is how to tell if mail sent to the list is “forged”, and that list software should all stop modifying messages so all signatures pass through.

This shows a fairly basic misunderstanding of what mailing lists do. As opposed to forwarders, which blindly forward incoming mail from one address to another and are just a transit point, a mailing list is really both a destination for mail submitted to the list, and the sender of list mail. During the 40 years that there have been e-mail discussion lists, list managers have developed a wide variety of mechanical and manual means to decide what submitted mail is passed through to the list, forged mail to mailing lists has never been a significant problem, and there’s no reason to think that will change just because some of the mail has signatures.

People subscribe to mailing lists because they want mail from the list, and nobody I know does spam filtering on mail that they already know is from lists they’ve subscribed to. (We may filter out mail from chronic bozos, but that’s not spam filtering, that’s just looking for their addresses on the From: line.) DKIM can be useful to list managers using incoming signatures as one of the criteria to recognize mail from subscribers and help decide what gets passed through to the list. It’s also useful to list recipients to help recognize mail from the list using the list’s signature. Both ways, far from not working with lists, DKIM makes list management and use easier and more reliable.

By John Levine, Author, Consultant & Speaker

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor