Author Domain Signing Practices (ADSP) with DKIM
ADSP or Author Domain Signing Practices is an optional extension of DomainKeys Identified Mail, that enables the author domain to specify signing practices. As a superset of the DKIM signing policy, signing practices such as this helps determine the authority of messages that do not contain a DKIM signature header.
What is ADSP?
We have already discussed that DKIM is a security protocol that allows email sender to cryptographically sign their messages to confirm that they are coming from the correct domain. This allows recipients to verify that the message is authentic and has not been modified in transit.
Sometimes, when this signature is absent, Author Domain SIgning Practices (ADSP) as an accessory to DKIM, jumps in to evaluate these unsigned messages. It works by defining a record in the DNS with certain instructions on signing practices determined by the author domain.
Relevant Terms and Definitions
Before we get into the nuts and bolts of ADSP’s operational practices, let’s go through a few terms related to this subject:
What is the Author Address?
When you open an email, in the top left section of the message header, you will find the From: address. This address contains the email sender’s (sending domain”s) email address. It is also known as the author address. This is a part of the visible header.
Not to be confused with the Return-path address that contains information about the sender’s server IP address, and is a part of the hidden header.
What is an Author Domain Signature?
The author domain signature refers to the d= tag in the email header, which contains the DKIM signature for message verification. If the signature is valid, ideally the domain name mentioned in the signature header should match the name in the author address (From: header).
If it isn’t a match, this may signify that the message was altered in transit, or the sender’s domain was spoofed.
Configuring Author Domain Signing Practices (ADSP)
Types of Definable Signing Practices
- unknown: you may define an unknown practice, or choose to define nothing at all since they will both serve the same purpose. Unknown refers to an undisclosed or unspecified signing rule providing the flexibility to sign any volume of email.
- all: this practice specifies that all emails need to be signed with a DKIM signature.
- discardable: similar to p=reject for DMARC, the discardable practice refers to an enforced policy wherein not only will the total mail volume originating from the author domain be signed with DKIM, but in case of any lapse, the email will be rejected (discarded) by the receiving server.
ADSP TXT Record: Defining Practices in the DNS
To set up author domain signing practices, you need to publish the following TXT record in your DNS:
_adsp._domainkey.yourdomain.com. IN TXT “dkim=discardable”
Replace yourdomain.com with the sending domain name and dkim= value with a signing practice of your choice from the options discussed above.
Disclaimer
The “unknown” specification is the recommended practice for domains where users are not bound to send emails from specific mail servers that fall within the scope of the author domain. A policy other than the unknown in such cases will lead to authentication failures, and/or unwanted message rejections.
ADSP and DMARC: A Modern Solution to Bypass ADSP Limitations
Anything that comes with a disclaimer cannot be termed 100% fool-proof and effective. ADSP, while an effective adjunct to the DKIM protocol, comes with a set of limitations and complications that have reduced its relevance in recent times.
A better way to bypass these drawbacks is to set up DMARC.
- Standard Email Protocols: SMTP, POP3 & IMAP Free4 m
- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DMARC Compliance? Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s