DKIM2: Upcoming DKIM Protocol Update
DKIM2 is currently under draft in IETF’s document archives, and may be subject to changes in the future.
DKIM2 is projected to be the upcoming updated version of DKIM1, aimed at fixing the shortcomings of the previous version, such as the vulnerability to replay attacks, problems with mail forwarding, and providing enhanced cryptography for better authentication and subsequent protection.
DKIM2 is also expected to resolve header signing issues, prevent backscatter, and support multiple cryptographic algorithms for easy migration from an outdated algorithmic version to a new one.
The Need for Replacing DKIM
The nascent mechanism for DKIM – DKIM1 was first outlined in RFC 4871 and published in the year 2007. Since then, over the years, several operational weaknesses have been discovered:
1. Intermediary Modification Issue
In several cases of email forwarding, intermediary servers often take the liberty to modify a legitimate email by appending additional footers or making signature modifications. This makes the original DKIM1 signature unverifiable, leading to unwanted DKIM failures. The concerned emails may be potentially flagged or marked as spam, despite being legitimate.
2. Reputation Damage via Replay Attacks
In a DKIM replay attack, a threat actor resends an email that was originally authenticated and signed with a DKIM signature, posing it to be a new and authentic message. However, the message might have been altered and may now be potentially harmful. In short, malicious actors can “replay” DKIM-signed emails, harming the reputation of legitimate signers.
3. Lack of Standardized Feedback
There are certain informal feedback mechanisms created by some systems to notify email senders about how well their DKIM-signed emails are performing. These feedback loops help senders know if their messages are being delivered properly or flagged as problematic. However, there are currently no official rules for how these feedback systems should work. This lack of standardization may lead to feedback being sent unnecessarily or being unhelpful.
4. Backscatter Problem
If someone fakes the sender of an email (forges the origin),and the email cannot be delivered, the system often sends a “failure notice”. This notice is termed a Delivery Status Notification, or DSN. The notice reaches the unsuspecting victim whose domain was forged. This means an innocent person, who had nothing to do with the email, gets a confusing or unwanted notification. This phenomenon is known as backscatter.
How Might DKIM2 Be a Boon for Businesses?
DKIM2 may outshine the capabilities of DKIM1 by providing the following key benefits:
Standardized Header Signing
While DKIM1 sometimes signs headers partially, leaving unsecured loopholes for threat actors to exploit, DKIM2 will standardize which headers should be signed. This will reduce confusion and ensure all important headers are consistently signed and secured.
Backscatter Prevention
The problem with DKIM1 causing backscatter was explained in the section above. DKIM2 will allow DSN to be sent to the server that last handled the email, avoiding confusion for innocent third parties.
Simplified Error Handling
DKIM2 enhances email security and efficiency by improving how bounces and errors are handled. It ensures that bounce messages follow the correct path, protecting recipient privacy and helping intermediaries, like email service providers and mailing lists, easily track and manage delivery issues. Additionally, DKIM2 enables mailing lists and security gateways to record and reverse changes they make, simplifying verification and spotting tampering attempts.
Addressing DKIM Replay Attacks
We already know that a valid DKIM-signed e-mail can be resent – that is, “replayed” to many recipients, undetected. DKIM2 may finally fix this problem by introducing timestamps and recipient-specific headers, making it easier to detect and prevent email replay attacks. Moreover, it will recognize duplicated messages as well, tracking who is responsible.
Algorithmic Dexterity
DKIM2 will support a vast range of cryptographic algorithms, like RSA, elliptic curve, and possibly post-quantum. This will ensure flexibility and future-proofing. The positive side of supporting such a diverse range of algorithms is that if a previous one becomes outdated, migration will be easy.
IETF’s documentation explains that on the off chance that during the cryptographic analysis process, one algorithm gets deprecated or fails – the other should pass. To make this possible, DKIM2 developers are taking a phased approach to switch from potentially deprecated algorithms by including more than one signature in a single DKIM2 signature header. Systems supporting the analysis of both DKIM2 signatures will require both to be valid and correct, or else the mail will get rejected.
Minimizing Crypto-Calculations
DKIM2 is projected to simplify and minimize the amount of cryptographic computations required to verify the authenticity of message content during DKIM checks. Major mailbox providers have a large number of DKIM signatures appended to incoming messages. During cryptanalysis, DKIM2 will only check the first DKIM2 signature in case the message has not been altered by any intermediaries, whereas currently, DKIM1 checks all DKIM signatures. This will introduce a more effective and faster process for cryptographic calculations.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s