How to Debug DKIM
DKIM is one way to make it easier for other servers to figure out if an e-mail sent on behalf of your domain is spoofed. Your mail server will add a digital signature to each email authenticating the source. This isn't as good a signing the entire e-mail, but it is a useful tool to at least validate the domain used as part of the "From" header.
The problem is that DKIM can be tricky to debug. If you have mail rejected, it is useful to be able to manually verify what went wrong. For example, you may have different keys, and the wrong key was used, which is one of the trickier issues to debug.
Lets start with the basics: first make sure the e-mail you send is actually signed. Look for the "DKIM-Signature" header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dshield.org;
s=default; t=1391023518;
bh=wu4x1KKZCyCgkXxuZDq++7322im11hlsCET+KxQ9+48=;
h=To:Subject:Date:From;
b=wVZQsIvZQe0i2YuhFNeUrpfet0wa7cIcwZ8LR9izWuF1E1NDQmpKUImCHO/RlPgYJ
wruW1IunQWRXtd4MQMuUZNsU1rGFzsYXoC4T6rVjHonQtQgoFSoEfo90KtZTC2riev
There are a couple of important pieces to look for:
- d=dshield.org - this is the domain for which the signature is good for
- s=default - this can be used to define different keys.
Using these two values, we can retrieve the public keys from DNS:
"v=DKIM1\; k=rsa\; p=MIGfMA0G...AQAB"
At this point we know which key was used to sign the headers, and we got the public key to verify it. You probably already spotted the algorithm used to sign the header: "a=rsa-sha256".
DKIM only signs specific headers. In our case, we signed the To, Subject, Date and From headers which can be learned from the "h=..." field above.
For the sample e-mail above, these headers are:
To: jullrich@euclidian.com
Subject: Testing DKIM
Date: Wed, 29 Jan 2014 19:25:18 +0000 (UTC)
From: jullrich@dshield.org (Johannes Ullrich)
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments