Author Domain Signing Practices (ADSP) with DKIM

ADSP or Author Domain Signing Practices is an optional extension of DomainKeys Identified Mail, that enables the author domain to specify signing practices. As a superset of the DKIM signing policy, signing practices such as this helps determine the authority of messages that do not contain a DKIM signature header. 

What is ADSP? 

We have already discussed that DKIM is a security protocol that allows email sender to cryptographically sign their messages to confirm that they are coming from the correct domain. This allows recipients to verify that the message is authentic and has not been modified in transit.

Sometimes, when this signature is absent, Author Domain SIgning Practices (ADSP) as an accessory to DKIM, jumps in to evaluate these unsigned messages. It works by defining a record in the DNS with certain instructions on signing practices determined by the author domain. 

Relevant Terms and Definitions

Before we get into the nuts and bolts of ADSP’s operational practices, let’s go through a few terms related to this subject: 

What is the Author Address?

When you open an email, in the top left section of the message header, you will find the From: address. This address contains the email sender’s (sending domain”s) email address. It is also known as the author address. This is a part of the visible header. 

Not to be confused with the Return-path address that contains information about the sender’s server IP address, and is a part of the hidden header. 

What is an Author Domain Signature?

The author domain signature refers to the d= tag in the email header, which contains the DKIM signature for message verification. If the signature is valid, ideally the domain name mentioned in the signature header should match the name in the author address (From: header). 

If it isn’t a match, this may signify that the message was altered in transit, or the sender’s domain was spoofed. 

Configuring Author Domain Signing Practices (ADSP)

Types of Definable Signing Practices 

• unknown: you may define an unknown practice, or choose to define nothing at all since they will both serve the same purpose. Unknown refers to an undisclosed or unspecified signing rule providing the flexibility to sign any volume of email.
• all: this practice specifies that all emails need to be signed with a DKIM signature.
• discardable: similar to p=reject for DMARC, the discardable practice refers to an enforced policy wherein not only will the total mail volume originating from the author domain be signed with DKIM, but in case of any lapse, the email will be rejected (discarded) by the receiving server.  

ADSP TXT Record: Defining Practices in the DNS

To set up author domain signing practices, you need to publish the following TXT record in your DNS: 

_adsp._domainkey.yourdomain.com. IN TXT “dkim=discardable”

Replace yourdomain.com with the sending domain name and dkim= value with a signing practice of your choice from the options discussed above.

Disclaimer 

The “unknown” specification is the recommended practice for domains where users are not bound to send emails from specific mail servers that fall within the scope of the author domain. A policy other than the unknown in such cases will lead to authentication failures, and/or unwanted message rejections.

ADSP and DMARC: A Modern Solution to Bypass ADSP Limitations

Anything that comes with a disclaimer cannot be termed 100% fool-proof and effective. ADSP, while an effective adjunct to the DKIM protocol, comes with a set of limitations and complications that have reduced its relevance in recent times. 

A better way to bypass these drawbacks is to set up DMARC.