summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5863.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5863.txt')
-rw-r--r--doc/rfc/rfc5863.txt2859
1 files changed, 2859 insertions, 0 deletions
diff --git a/doc/rfc/rfc5863.txt b/doc/rfc/rfc5863.txt
new file mode 100644
index 0000000..fbe2586
--- /dev/null
+++ b/doc/rfc/rfc5863.txt
@@ -0,0 +1,2859 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) T. Hansen
+Request for Comments: 5863 AT&T Laboratories
+Category: Informational E. Siegel
+ISSN: 2070-1721 Consultant
+ P. Hallam-Baker
+ Default Deny Security, Inc.
+ D. Crocker
+ Brandenburg InternetWorking
+ May 2010
+
+
+ DomainKeys Identified Mail (DKIM)
+ Development, Deployment, and Operations
+
+Abstract
+
+ DomainKeys Identified Mail (DKIM) allows an organization to claim
+ responsibility for transmitting a message, in a way that can be
+ validated by a recipient. The organization can be the author's, the
+ originating sending site, an intermediary, or one of their agents. A
+ message can contain multiple signatures, from the same or different
+ organizations involved with the message. DKIM defines a domain-level
+ digital signature authentication framework for email, using public
+ key cryptography and using the domain name service as its key server
+ technology. This permits verification of a responsible organization,
+ as well as the integrity of the message content. DKIM will also
+ provide a mechanism that permits potential email signers to publish
+ information about their email signing practices; this will permit
+ email receivers to make additional assessments about messages.
+ DKIM's authentication of email identity can assist in the global
+ control of "spam" and "phishing". This document provides
+ implementation, deployment, operational, and migration considerations
+ for DKIM.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+
+
+
+
+
+Hansen, et al. Informational [Page 1]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5863.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 2. Using DKIM as Part of Trust Assessment ..........................4
+ 2.1. A Systems View of Email Trust Assessment ...................4
+ 2.2. Choosing a DKIM Tag for the Assessment Identifier ..........6
+ 2.3. Choosing the Signing Domain Name ...........................8
+ 2.4. Recipient-Based Assessments ...............................10
+ 2.5. Filtering .................................................12
+ 3. DKIM Key Generation, Storage, and Management ...................15
+ 3.1. Private Key Management: Deployment and Ongoing
+ Operations ................................................16
+ 3.2. Storing Public Keys: DNS Server Software Considerations ...17
+ 3.3. Per-User Signing Key Management Issues ....................18
+ 3.4. Third-Party Signer Key Management and Selector
+ Administration ............................................19
+ 3.5. Key Pair / Selector Life Cycle Management .................19
+
+
+
+Hansen, et al. Informational [Page 2]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ 4. Signing ........................................................21
+ 4.1. DNS Records ...............................................21
+ 4.2. Signing Module ............................................21
+ 4.3. Signing Policies and Practices ............................22
+ 5. Verifying ......................................................23
+ 5.1. Intended Scope of Use .....................................23
+ 5.2. Signature Scope ...........................................23
+ 5.3. Design Scope of Use .......................................24
+ 5.4. Inbound Mail Filtering ....................................24
+ 5.5. Messages Sent through Mailing Lists and Other
+ Intermediaries ............................................25
+ 5.6. Generation, Transmission, and Use of Results Headers ......25
+ 6. Taxonomy of Signatures .........................................26
+ 6.1. Single Domain Signature ...................................26
+ 6.2. Parent Domain Signature ...................................27
+ 6.3. Third-Party Signature .....................................27
+ 6.4. Using Trusted Third-Party Senders .........................29
+ 6.5. Multiple Signatures .......................................30
+ 7. Example Usage Scenarios ........................................31
+ 7.1. Author's Organization - Simple ............................32
+ 7.2. Author's Organization - Differentiated Types of Mail ......32
+ 7.3. Author Domain Signing Practices ...........................32
+ 7.4. Delegated Signing .........................................34
+ 7.5. Independent Third-Party Service Providers .................35
+ 7.6. Mail Streams Based on Behavioral Assessment ...............35
+ 7.7. Agent or Mediator Signatures ..............................36
+ 8. Usage Considerations ...........................................36
+ 8.1. Non-Standard Submission and Delivery Scenarios ............36
+ 8.2. Protection of Internal Mail ...............................37
+ 8.3. Signature Granularity .....................................38
+ 8.4. Email Infrastructure Agents ...............................39
+ 8.5. Mail User Agent ...........................................40
+ 9. Security Considerations ........................................41
+ 10. Acknowledgements ..............................................41
+ 11. References ....................................................42
+ 11.1. Normative References .....................................42
+ 11.2. Informative References ...................................42
+ Appendix A. Migration Strategies .................................43
+ A.1. Migrating from DomainKeys .................................43
+ A.2. Migrating Hash Algorithms .................................48
+ A.3. Migrating Signing Algorithms ..............................49
+ Appendix B. General Coding Criteria for Cryptographic
+ Applications .........................................50
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 3]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+1. Introduction
+
+ DomainKeys Identified Mail (DKIM) allows an organization to claim
+ responsibility for transmitting a message, in a way that can be
+ validated by a recipient. This document provides practical tips for
+ those who are developing DKIM software, mailing list managers,
+ filtering strategies based on the output from DKIM verification, and
+ DNS servers; those who are deploying DKIM software, keys, mailing
+ list software, and migrating from DomainKeys [RFC4870]; and those who
+ are responsible for the ongoing operations of an email infrastructure
+ that has deployed DKIM.
+
+ The reader is encouraged to read the DKIM Service Overview document
+ [RFC5585] before this document. More detailed guidance about DKIM
+ and Author Domain Signing Practices (ADSP) can also be found in the
+ protocol specifications [RFC4871], [RFC5617], and [RFC5672].
+
+ The document is organized around the key concepts related to DKIM.
+ Within each section, additional considerations specific to
+ development, deployment, or ongoing operations are highlighted where
+ appropriate. The possibility of the use of DKIM results as input to
+ a local reputation database is also discussed.
+
+2. Using DKIM as Part of Trust Assessment
+
+2.1. A Systems View of Email Trust Assessment
+
+ DKIM participates in a trust-oriented enhancement to the Internet's
+ email service, to facilitate message handling decisions, such as for
+ delivery and for content display. Trust-oriented message handling
+ has substantial differences from the more established approaches that
+ consider messages in terms of risk and abuse. With trust, there is a
+ collaborative exchange between a willing participant along the
+ sending path and a willing participant at a recipient site. In
+ contrast, the risk model entails independent, unilateral action by
+ the recipient site, in the face of a potentially unknown, hostile,
+ and deceptive sender. This translates into a very basic technical
+ difference: in the face of unilateral action by the recipient and
+ even antagonistic efforts by the sender, risk-oriented mechanisms are
+ based on heuristics, that is, on guessing. Guessing produces
+ statistical results with some false negatives and some false
+ positives. For trust-based exchanges, the goal is the deterministic
+ exchange of information. For DKIM, that information is the one
+ identifier that represents a stream of mail for which an independent
+ assessment is sought (by the signer).
+
+
+
+
+
+
+Hansen, et al. Informational [Page 4]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ A trust-based service is built upon a validated Responsible
+ Identifier that labels a stream of mail and is controlled by an
+ identity (role, person, or organization). The identity is
+ acknowledging some degree of responsibility for the message stream.
+ Given a basis for believing that an identifier is being used in an
+ authorized manner, the recipient site can make and use an assessment
+ of the associated identity. An identity can use different
+ identifiers, on the assumption that the different streams might
+ produce different assessments. For example, even the best-run
+ marketing campaigns will tend to produce some complaints that can
+ affect the reputation of the associated identifier, whereas a stream
+ of transactional messages is likely to have a more pristine
+ reputation.
+
+ Determining that the identifier's use is valid is quite different
+ from determining that the content of a message is valid. The former
+ means only that the identifier for the responsible role, person, or
+ organization has been legitimately associated with a message. The
+ latter means that the content of the message can be believed and,
+ typically, that the claimed author of the content is correct. DKIM
+ validates only the presence of the identifier used to sign the
+ message. Even when this identifier is validated, DKIM carries no
+ implication that any of the message content, including the
+ RFC5322.From field [RFC5322], is valid. Surprisingly, this limit to
+ the semantics of a DKIM signature applies even when the validated
+ signing identifier is the same domain name as is used in the
+ RFC5322.From field! DKIM's only claim about message content is that
+ the content cited in the DKIM-Signature: field's h= tag has been
+ delivered without modification. That is, it asserts message content
+ integrity -- between signing and verifying -- not message content
+ validity.
+
+ As shown in Figure 1, this enhancement is a communication between a
+ responsible role, person, or organization that signs the message and
+ a recipient organization that assesses its trust in the signer. The
+ recipient then makes handling decisions based on a collection of
+ assessments, of which the DKIM mechanism is only a part. In this
+ model, as shown in Figure 1, validation is an intermediary step,
+ having the sole task of passing a validated Responsible Identifier to
+ the Identity Assessor. The communication is of a single Responsible
+ Identifier that the Responsible Identity wishes to have used by the
+ Identity Assessor. The Identifier is the sole, formal input and
+ output value of DKIM signing. The Identity Assessor uses this
+ single, provided Identifier for consulting whatever assessment
+ databases are deemed appropriate by the assessing entity. In turn,
+ output from the Identity Assessor is fed into a Handling Filter
+
+
+
+
+
+Hansen, et al. Informational [Page 5]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ engine that considers a range of factors, along with this single
+ output value. The range of factors can include ancillary information
+ from the DKIM validation.
+
+ Identity Assessment covers a range of possible functions. It can be
+ as simple as determining whether the identifier is a member of some
+ list, such as authorized operators or participants in a group that
+ might be of interest for recipient assessment. Equally, it can
+ indicate a degree of trust (reputation) that is to be afforded the
+ actor using that identifier. The extent to which the assessment
+ affects the handling of the message is, of course, determined later,
+ by the Handling Filter.
+
+ +------+------+ +------+------+
+ | Author | | Recipient |
+ +------+------+ +------+------+
+ | ^
+ | |
+ | +------+------+
+ | -->| Handling |<--
+ | -->| Filter |<--
+ | +-------------+
+ | ^
+ V Responsible |
+ +-------------+ Identifier +------+------+
+ | Responsible |. . . . . . . . . . .>| Identity |
+ | Identity | . . | Assessor |
+ +------+------+ . . +-------------+
+ | V . ^ ^
+ V . . | |
+ +------------------.-------.--------------------+ | |
+ | +------+------+ . . . > . +-------------+ | | | +-----------+
+ | | Identifier | | Identifier +--|--+ +--+ Assessment|
+ | | Signer +------------->| Validator | | | Databases |
+ | +-------------+ +-------------+ | +-----------+
+ | DKIM Service |
+ +-----------------------------------------------+
+
+ Figure 1: Actors in a Trust Sequence Using DKIM
+
+2.2. Choosing a DKIM Tag for the Assessment Identifier
+
+ The signer of a message needs to be able to provide precise data and
+ know what that data will mean upon delivery to the Assessor. If
+ there is ambiguity in the choice that will be made on the recipient
+ side, then the sender cannot know what basis for assessment will be
+ used. DKIM has three values that specify identification information
+ and it is easy to confuse their use, although only one defines the
+
+
+
+Hansen, et al. Informational [Page 6]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ formal input and output of DKIM, with the other two being used for
+ internal protocol functioning and adjunct purposes, such as auditing
+ and debugging.
+
+ The salient values include the s=, d= and i= parameters in the DKIM-
+ Signature: header field. In order to achieve the end-to-end
+ determinism needed for this collaborative exchange from the signer to
+ the assessor, the core model needs to specify what the signer is
+ required to provide to the assessor. The update to RFC 4871
+ [RFC5672] specifies:
+
+ DKIM's primary task is to communicate from the Signer to a
+ recipient-side Identity Assessor a single Signing Domain
+ Identifier (SDID) that refers to a responsible identity. DKIM MAY
+ optionally provide a single responsible Agent or User Identifier
+ (AUID)... A receive-side DKIM verifier MUST communicate the
+ Signing Domain Identifier (d=) to a consuming Identity Assessor
+ module and MAY communicate the User Agent Identifier (i=) if
+ present.... To the extent that a receiver attempts to intuit any
+ structured semantics for either of the identifiers, this is a
+ heuristic function that is outside the scope of DKIM's
+ specification and semantics.
+
+ The single, mandatory value that DKIM supplies as its output is:
+
+ d= This specifies the "domain of the signing entity". It is a
+ domain name and is combined with the selector to form a DNS
+ query. A receive-side DKIM verifier needs to communicate the
+ Signing Domain Identifier (d=) to a consuming Identity Assessor
+ module and can also communicate the User Agent Identifier (i=)
+ if present.
+
+ The adjunct values are:
+
+ s= This tag specifies the selector. It is used to discriminate
+ among different keys that can be used for the same d= domain
+ name. As discussed in Section 4.3 of [RFC5585], "If verifiers
+ were to employ the selector as part of an assessment mechanism,
+ then there would be no remaining mechanism for making a
+ transition from an old, or compromised, key to a new one".
+ Consequently, the selector is not appropriate for use as part
+ or all of the identifier used to make assessments.
+
+ i= This tag is optional and provides the "[t]he Agent or User
+ Identifier (AUID) on behalf of which the SDID is taking
+ responsibility" [RFC5672]. The identity can be in the syntax
+
+
+
+
+
+Hansen, et al. Informational [Page 7]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ of an entire email address or only a domain name. The domain
+ name can be the same as for d= or it can be a sub-name of the
+ d= name.
+
+ NOTE: Although the i= identity has the syntax of an email
+ address, it is not required to have those semantics. That is,
+ "the identity of the user" need not be the same as the user's
+ mailbox. For example, the signer might wish to use i= to
+ encode user-related audit information, such as how they were
+ accessing the service at the time of message posting.
+ Therefore, it is not possible to conclude anything from the i=
+ string's (dis)similarity to email addresses elsewhere in the
+ header.
+
+ So, i= can have any of these properties:
+
+ * Be a valid domain when it is the same as d=
+
+ * Appear to be a subdomain of d= but might not even exist
+
+ * Look like a mailbox address but might have different semantics
+ and therefore not function as a valid email address
+
+ * Be unique for each message, such as indicating access details
+ of the user for the specific posting
+
+ This underscores why the tag needs to be treated as being opaque,
+ since it can represent any semantics, known only to the signer.
+
+ Hence, i= serves well as a token that is usable like a Web cookie,
+ for return to the signing Administrative Management Domain (ADMD) --
+ such as for auditing and debugging. Of course in some scenarios the
+ i= string might provide a useful adjunct value for additional
+ (heuristic) processing by the Handling Filter.
+
+2.3. Choosing the Signing Domain Name
+
+ A DKIM signing entity can serve different roles, such as being the
+ author of content, the operator of the mail service, or the operator
+ of a reputation service that also provides signing services on behalf
+ of its customers. In these different roles, the basis for
+ distinguishing among portions of email traffic can vary. For an
+ entity creating DKIM signatures, it is likely that different portions
+ of its mail will warrant different levels of trust. For example:
+
+ * Mail is sent for different purposes, such as marketing versus
+ transactional, and recipients demonstrate different patterns of
+ acceptance between these.
+
+
+
+Hansen, et al. Informational [Page 8]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ * For an operator of an email service, there often are distinct
+ sub-populations of users warranting different levels of trust
+ or privilege, such as paid versus free users, or users engaged
+ in direct correspondence versus users sending bulk mail.
+
+ * Mail originating outside an operator's system, such as when it
+ is redistributed by a mailing-list service run by the operator,
+ will warrant a different reputation from mail submitted by
+ users authenticated with the operator.
+
+ It is therefore likely to be useful for a signer to use different d=
+ subdomain names, for different message traffic streams, so that
+ receivers can make differential assessments. However, too much
+ differentiation -- that is, too fine a granularity of signing domains
+ -- makes it difficult for the receiver to discern a sufficiently
+ stable pattern of traffic for developing an accurate and reliable
+ assessment. So the differentiation needs to achieve a balance.
+ Generally, in a trust system, legitimate signers have an incentive to
+ pick a small stable set of identities, so that recipients and others
+ can attribute reputations to them. The set of these identities a
+ receiver trusts is likely to be quite a bit smaller than the set it
+ views as risky.
+
+ The challenge in using additional layers of subdomains is whether the
+ extra granularity will be useful for the Assessor. In fact,
+ excessive levels invite ambiguity: if the Assessor does not take
+ advantage of the added granularity in the entire domain name that is
+ provided, they might unilaterally decide to use only some rightmost
+ part of the identifier. The signer cannot know what portion will be
+ used. That ambiguity would move the use of DKIM back to the realm of
+ heuristics, rather than the deterministic processing that is its
+ goal.
+
+ Hence, the challenge is to determine a useful scheme for labeling
+ different traffic streams. The most obvious choices are among
+ different types of content and/or different types of authors.
+ Although stability is essential, it is likely that the choices will
+ change, over time, so the scheme needs to be flexible.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 9]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ For those originating message content, the most likely choice of
+ subdomain naming scheme will by based upon type of content, which can
+ use content-oriented labels or service-oriented labels. For example:
+
+ transaction.example.com
+ newsletter.example.com
+ bugreport.example.com
+ support.example.com
+ sales.example.com
+ marketing.example.com
+
+ where the choices are best dictated by whether they provide the
+ Identity Assessor with the ability to discriminate usefully among
+ streams of mail that demonstrate significantly different degrees of
+ recipient acceptance or safety. Again, the danger in providing too
+ fine a granularity is that related message streams that are labeled
+ separately will not benefit from an aggregate reputation.
+
+ For those operating messaging services on behalf of a variety of
+ customers, an obvious scheme to use has a different subdomain label
+ for each customer. For example:
+
+ widgetco.example.net
+ moviestudio.example.net
+ bigbank.example.net
+
+ However, it can also be appropriate to label by the class of service
+ or class of customer, such as:
+
+ premier.example.net
+ free.example.net
+ certified.example.net
+
+ Prior to using domain names for distinguishing among sources of data,
+ IP Addresses have been the basis for distinction. Service operators
+ typically have done this by dedicating specific outbound IP Addresses
+ to specific mail streams -- typically to specific customers. For
+ example, a university might want to distinguish mail from the
+ administration, versus mail from the student dorms. In order to make
+ the adoption of a DKIM-based service easier, it can be reasonable to
+ translate the same partitioning of traffic, using domain names in
+ place of the different IP Addresses.
+
+2.4. Recipient-Based Assessments
+
+ DKIM gives the recipient site's Identity Assessor a verifiable
+ identifier to use for analysis. Although the mechanism does not make
+ claims that the signer is a Good Actor or a Bad Actor, it does make
+
+
+
+Hansen, et al. Informational [Page 10]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ it possible to know that use of the identifier is valid. This is in
+ marked contrast with schemes that do not have authentication.
+ Without verification, it is not possible to know whether the
+ identifier -- whether taken from the RFC5322.From field, the
+ RFC5321.MailFrom command, or the like -- is being used by an
+ authorized agent. DKIM solves this problem. Hence, with DKIM, the
+ Assessor can know that two messages with the same DKIM d= identifier
+ are, in fact, signed by the same person or organization. This
+ permits a far more stable and accurate assessment of mail traffic
+ using that identifier.
+
+ DKIM is distinctive, in that it provides an identifier that is not
+ necessarily related to any other identifier in the message. Hence,
+ the signer might be the author's ADMD, one of the operators along the
+ transit path, or a reputation service being used by one of those
+ handling services. In fact, a message can have multiple signatures,
+ possibly by any number of these actors.
+
+ As discussed above, the choice of identifiers needs to be based on
+ differences that the signer thinks will be useful for the recipient
+ Assessor. Over time, industry practices establish norms for these
+ choices.
+
+ Absent such norms, it is best for signers to distinguish among
+ streams that have significant differences, while consuming the
+ smallest number of identifiers possible. This will limit the
+ burden on recipient Assessors.
+
+ A common view about a DKIM signature is that it carries a degree of
+ assurance about some or all of the message contents, and in
+ particular, that the RFC5322.From field is likely to be valid. In
+ fact, DKIM makes assurances only about the integrity of the data and
+ not about its validity. Still, presumptions of the RFC5322.From
+ field validity remain a concern. Hence, a signer using a domain name
+ that is unrelated to the domain name in the RFC5322.From field can
+ reasonably expect that the disparity will warrant some curiosity, at
+ least until signing by independent operators has produced some
+ established practice among recipient Assessors.
+
+ With the identifier(s) supplied by DKIM, the Assessor can consult an
+ independent assessment service about the entity associated with the
+ identifier(s). Another possibility is that the Assessor can develop
+ its own reputation rating for the identifier(s). That is, over time,
+ the Assessor can observe the stream of messages associated with the
+ identifier(s) developing a reaction to associated content. For
+ example, if there is a high percentage of user complaints regarding
+
+
+
+
+
+Hansen, et al. Informational [Page 11]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ signed mail with a d= value of "widgetco.example.net", the Assessor
+ might include that fact in the vector of data it provides to the
+ Handling Filter. This is also discussed briefly in Section 5.4.
+
+2.5. Filtering
+
+ The assessment of the signing identifier is given to a Handling
+ Filter that is defined by local policies, according to a potentially
+ wide range of different factors and weightings. This section
+ discusses some of the kinds of choices and weightings that are
+ plausible and the differential actions that might be performed.
+ Because authenticated domain names represent a collaborative sequence
+ between signer and Assessor, actions can sometimes reasonably include
+ contacting the signer.
+
+ The discussion focuses on variations in Organizational Trust versus
+ Message Stream Risk, that is, the degree of positive assessment of a
+ DKIM-signing organization, and the potential danger present in the
+ message stream signed by that organization. While it might seem that
+ higher trust automatically means lower risk, the experience with
+ real-world operations provides examples of every combination of the
+ two factors, as shown in Figure 2. For each axis, only three levels
+ of granularity are listed, in order to keep discussion manageable.
+ In real-world filtering engines, finer-grained distinctions are
+ typically needed, and there typically are more axes. For example,
+ there are different types of risk, so that an engine might
+ distinguish between spam risk versus virus risk and take different
+ actions based on which type of problematic content is present. For
+ spam, the potential damage from a false negative is small, whereas
+ the damage from a false positive is high. For a virus, the potential
+ danger from a false negative is extremely high, while the likelihood
+ of a false positive when using modern detection tools is extremely
+ low. However, for the discussion here, "risk" is taken as a single
+ construct.
+
+ The DKIM d= identifier is independent of any other identifier in a
+ message and can be a subdomain of the name owned by the signer. This
+ permits the use of fine-grained and stable distinctions between
+ different types of message streams, such as between transactional
+ messages and marketing messages from the same organization. Hence,
+ the use of DKIM might permit a richer filtering model than has
+ typically been possible for mail-receiving engines.
+
+ Note that the realities of today's public Internet Mail environment
+ necessitate having a baseline handling model that is quite
+ suspicious. Hence, "strong" filtering rules really are the starting
+ point, as indicated for the UNKNOWN cell.
+
+
+
+
+Hansen, et al. Informational [Page 12]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ The table indicates differential handling for each combination, such
+ as how aggressive or broad-based the filtering could be.
+ Aggressiveness affects the types of incorrect assessments that are
+ likely. So, the table distinguishes various characteristics,
+ including: 1) whether an organization is unknown, known to be good
+ actors, or known to be bad actors; and 2) the assessment of messages.
+ It includes advice about the degree of filtering that might be done,
+ and other message disposition. Perhaps unexpectedly, it also lists a
+ case in which the receiving site might wish to deliver problematic
+ mail, rather than redirecting or deleting it. The site might also
+ wish to contact the signing organization and seek resolution of the
+ problem.
+
+ +-------------+-----------------------------------------------+
+ | S T R E A M * O R G A N I Z A T I O N A L T R U S T |
+ | R I S K * Low Medium High |
+ | +***************+***************+***************+
+ | Low * BENIGN: | DILIGENT: | PRISTINE |
+ | * Moderate | Mild | Accept |
+ | * filter | filter | |
+ | +---------------+---------------+---------------+
+ | Medium * UNKNOWN: | TYPICAL: | PROTECTED: |
+ | * Strong | Targeted | Accept & |
+ | * filter | filter | Contact |
+ | +---------------+---------------+---------------+
+ | High * MALICIOUS: | NEGLIGENT: | COMPROMISED: |
+ | * Block & | Block | Block & |
+ | * Counter | | Contact |
+ +-------------+---------------+---------------+---------------+
+
+ Figure 2: Trust versus Risk Handling Tradeoffs Example
+
+ [LEGEND]
+
+ AXES
+
+ Stream Risk: This is a measure of the recent history of a message
+ stream and the severity of problems it has presented.
+
+ Organizational Trust: This combines longer-term history about
+ possible stream problems from that organization, and its
+ responsiveness to problem handling.
+
+ CELLS (indicating reasonable responses)
+
+ Labels for the cells are meant as a general assessment of an
+ organization producing that type of mail stream under that
+ circumstance.
+
+
+
+Hansen, et al. Informational [Page 13]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Benign: There is some history of sending good messages, with very
+ few harmful messages having been received. This stream
+ warrants filtering that does not search for problems very
+ aggressively, in order to reduce the likelihood of false
+ positives.
+
+ Diligent: The stream has had a limited degree of problems and the
+ organization is consistently successful at controlling their
+ abuse issues and in a timely manner.
+
+ Pristine: There is a history of a clean message stream with no
+ problems, from an organization with an excellent reputation.
+ So, the filter primarily needs to ensure that messages are
+ delivered; catching stray problem messages is a lesser concern.
+ In other words, the paramount concern, here, is false
+ positives.
+
+ -----
+
+ Unknown: There is no history with the organization. Apply an
+ aggressive level of "naive" filtering, given the nature of the
+ public email environment.
+
+ Typical: The stream suffers significant abuse issues and the
+ organization has demonstrated a record of having difficulties
+ resolving them in a timely manner, in spite of legitimate
+ efforts. Unfortunately, this is the typical case for service
+ providers with an easy and open subscription policy.
+
+ Protected: An organization with a good history and/or providing
+ an important message stream for the receiving site is subject
+ to a local policy that messages are not allowed to be blocked,
+ but the stream is producing a problematic stream. The receiver
+ delivers messages, but works quickly with the organization to
+ resolve the matter.
+
+ -----
+
+ Malicious: A persistently problematic message stream is coming
+ from an organization that appears to contribute to the problem.
+ The stream will be blocked, but the organization's role is
+ sufficiently troubling to warrant following up with others in
+ the anti-abuse or legal communities, to constrain or end their
+ impact.
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 14]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Negligent: A persistently problematic message stream is coming
+ from an organization that does not appear to be contributing to
+ the problem, but also does not appear to be working to
+ eliminate it. At the least, the stream needs to be blocked.
+
+ Compromised: An organization with a good history has a stream
+ that changes and becomes too problematic to be delivered. The
+ receiver blocks the stream and works quickly with the
+ organization to resolve the matter.
+
+3. DKIM Key Generation, Storage, and Management
+
+ By itself, verification of a digital signature only allows the
+ verifier to conclude with a very high degree of certainty that the
+ signature was created by a party with access to the corresponding
+ private signing key. It follows that a verifier requires means to
+ (1) obtain the public key for the purpose of verification and (2)
+ infer useful attributes of the key holder.
+
+ In a traditional Public Key Infrastructure (PKI), the functions of
+ key distribution and key accreditation are separated. In DKIM
+ [RFC4871], these functions are both performed through the DNS.
+
+ In either case, the ability to infer semantics from a digital
+ signature depends on the assumption that the corresponding private
+ key is only accessible to a party with a particular set of
+ attributes. In a traditional PKI, a Trusted Third Party (TTP)
+ vouches that the key holder has been validated with respect to a
+ specified set of attributes. The range of attributes that can be
+ attested in such a scheme is thus limited only to the type of
+ attributes that a TTP can establish effective processes for
+ validating. In DKIM, TTPs are not employed and the functions of key
+ distribution and accreditation are combined.
+
+ Consequently, there are only two types of inference that a signer can
+ make from a key published in a DKIM key record:
+
+ 1. That a party with the ability to control DNS records within a DNS
+ zone intends to claim responsibility for messages signed using
+ the corresponding private signature key.
+
+ 2. That use of a specific key is restricted to the particular subset
+ of messages identified by the selector.
+
+ The ability to draw any useful conclusion from verification of a
+ digital signature relies on the assumption that the corresponding
+ private key is only accessible to a party with a particular set of
+
+
+
+
+Hansen, et al. Informational [Page 15]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ attributes. In the case of DKIM, this means that the party that
+ created the corresponding DKIM key record in the specific zone
+ intended to claim responsibility for the signed message.
+
+ Ideally, we would like to draw a stronger conclusion, that if we
+ obtain a DKIM key record from the DNS zone example.com, that the
+ legitimate holder of the DNS zone example.com claims responsibility
+ for the signed message. In order for this conclusion to be drawn, it
+ is necessary for the verifier to assume that the operational security
+ of the DNS zone and corresponding private key are adequate.
+
+3.1. Private Key Management: Deployment and Ongoing Operations
+
+ Access to signing keys needs to be carefully managed to prevent use
+ by unauthorized parties and to minimize the consequences if a
+ compromise were to occur.
+
+ While a DKIM signing key is used to sign messages on behalf of many
+ mail users, the signing key itself needs to be under direct control
+ of as few key holders as possible. If a key holder were to leave the
+ organization, all signing keys held by that key holder need to be
+ withdrawn from service and, if appropriate, replaced.
+
+ If key management hardware support is available, it needs to be used.
+ If keys are stored in software, appropriate file control protections
+ need to be employed, and any location in which the private key is
+ stored in plaintext form needs to be excluded from regular backup
+ processes and is best not accessible through any form of network
+ including private local area networks. Auditing software needs to be
+ used periodically to verify that the permissions on the private key
+ files remain secure.
+
+ Wherever possible, a signature key needs to exist in exactly one
+ location and be erased when no longer used. Ideally, a signature key
+ pair needs to be generated as close to the signing point as possible,
+ and only the public key component transferred to another party. If
+ this is not possible, the private key needs to be transported in an
+ encrypted format that protects the confidentiality of the signing
+ key. A shared directory on a local file system does not provide
+ adequate security for distribution of signing keys in plaintext form.
+
+ Key escrow schemes are not necessary and are best not used. In the
+ unlikely event of a signing key becoming lost, a new signature key
+ pair can be generated as easily as recovery from a key escrow scheme.
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 16]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ To enable accountability and auditing:
+
+ o Responsibility for the security of a signing key needs to
+ ultimately vest in a single named individual.
+
+ o Where multiple parties are authorized to sign messages, each
+ signer needs to use a different key to enable accountability and
+ auditing.
+
+ Best practices for management of cryptographic keying material
+ require keying material to be refreshed at regular intervals,
+ particularly where key management is achieved through software.
+ While this practice is highly desirable, it is of considerably less
+ importance than the requirement to maintain the secrecy of the
+ corresponding private key. An operational practice in which the
+ private key is stored in tamper-proof hardware and changed once a
+ year is considerably more desirable than one in which the signature
+ key is changed on an hourly basis but maintained in software.
+
+3.2. Storing Public Keys: DNS Server Software Considerations
+
+ In order to use DKIM, a DNS domain holder requires (1) the ability to
+ create the necessary DKIM DNS records and (2) sufficient operational
+ security controls to prevent insertion of spurious DNS records by an
+ attacker.
+
+ DNS record management is often operated by an administrative staff
+ that is different from those who operate an organization's email
+ service. In order to ensure that DKIM DNS records are accurate, this
+ imposes a requirement for careful coordination between the two
+ operations groups. If the best practices for private key management
+ described above are observed, such deployment is not a one-time
+ event; DNS DKIM selectors will be changed over time as signing keys
+ are terminated and replaced.
+
+ At a minimum, a DNS server that handles queries for DKIM key records
+ needs to allow the server administrators to add free-form TXT
+ records. It would be better if the DKIM records could be entered
+ using a structured form, supporting the DKIM-specific fields.
+
+ Ideally, DNS Security (DNSSEC) [RFC4034] needs to be employed in a
+ configuration that provides protection against record insertion
+ attacks and zone enumeration. In the case that NextSECure version 3
+ (NSEC3) [RFC5155] records are employed to prevent insertion attack,
+ the OPT-OUT flag needs to be clear. (See [RFC5155] section 6 for
+ details.)
+
+
+
+
+
+Hansen, et al. Informational [Page 17]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+3.2.1. Assignment of Selectors
+
+ Selectors are assigned according to the administrative needs of the
+ signing domain, such as for rolling over to a new key or for the
+ delegation of the right to authenticate a portion of the namespace to
+ a TTP. Examples include:
+
+ jun2005.eng._domainkey.example.com
+
+ widget.promotion._domainkey.example.com
+
+ It is intended that assessments of DKIM identities be based on the
+ domain name, and not include the selector. While past practice of a
+ signer can permit a verifier to infer additional properties of
+ particular messages from the structure DKIM key selector, unannounced
+ administrative changes such as a change of signing software can cause
+ such heuristics to fail at any time.
+
+3.3. Per-User Signing Key Management Issues
+
+ While a signer can establish business rules, such as the issue of
+ individual signature keys for each end-user, DKIM makes no provision
+ for communicating these to other parties. Out-of-band distribution
+ of such business rules is outside the scope of DKIM. Consequently,
+ there is no means by which external parties can make use of such keys
+ to attribute messages with any greater granularity than a DNS domain.
+
+ If per-user signing keys are assigned for internal purposes (e.g.,
+ authenticating messages sent to an MTA (Mail Transfer Agent) for
+ distribution), the following issues need to be considered before
+ using such signatures as an alternative to traditional edge signing
+ at the outbound MTA:
+
+ External verifiers will be unable to make use of the additional
+ signature granularity without access to additional information
+ passed out of band with respect to [RFC4871].
+
+ If the number of user keys is large, the efficiency of local
+ caching of key records by verifiers will be lower.
+
+ A large number of end users is be less likely to do an adequate
+ job of managing private key data securely on their personal
+ computers than is an administrator running an edge MTA.
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 18]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+3.4. Third-Party Signer Key Management and Selector Administration
+
+ A DKIM key record only asserts that the holder of the corresponding
+ domain name makes a claim of responsibility for messages signed under
+ the corresponding key. In some applications, such as bulk mail
+ delivery, it is desirable to delegate use of the key. That is, to
+ allow a third party to sign on behalf of the domain holder. The
+ trust relationship is still established between the domain holder and
+ the verifier, but the private signature key is held by a third party.
+
+ Signature keys used by a third-party signer need to be kept entirely
+ separate from those used by the domain holder and other third-party
+ signers. To limit potential exposure of the private key, the
+ signature key pair needs to be generated by the third-party signer
+ and the public component of the key transmitted to the domain holder,
+ rather than have the domain holder generate the key pair and transmit
+ the private component to the third-party signer.
+
+ Domain holders needs to adopt a least-privilege approach and grant
+ third-party signers the minimum access necessary to perform the
+ desired function. Limiting the access granted to third-party signers
+ serves to protect the interests of both parties. The domain holder
+ minimizes its security risk and the TTP signer avoids unnecessary
+ liability.
+
+ In the most restrictive case, domain holders maintain full control
+ over the creation of key records. They can employ appropriate key
+ record restrictions to enforce limits on the messages for which the
+ third-party signer is able to sign. If such restrictions are
+ impractical, the domain holder needs to delegate a DNS subzone for
+ publishing key records to the third-party signer. It is best that
+ the domain holder NOT allow a third-party signer unrestricted access
+ to its DNS service for the purpose of publishing key records.
+
+3.5. Key Pair / Selector Life Cycle Management
+
+ Deployments need to establish, document, and observe processes for
+ managing the entire life cycle of an asymmetric key pair.
+
+3.5.1. Example Key Deployment Process
+
+ When it is determined that a new key pair is required:
+
+ 1. A Key Pair is generated by the signing device.
+
+ 2. A proposed key selector record is generated and transmitted to
+ the DNS administration infrastructure.
+
+
+
+
+Hansen, et al. Informational [Page 19]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ 3. The DNS administration infrastructure verifies the authenticity
+ of the key selector registration request. If accepted:
+
+ 1. A key selector is assigned.
+
+ 2. The corresponding key record is published in the DNS.
+
+ 3. Wait for DNS updates to propagate (if necessary).
+
+ 4. Report assigned key selector to signing device.
+
+ 4. The signer verifies correct registration of the key record.
+
+ 5. The signer begins generating signatures using the new key pair.
+
+ 6. The signer terminates any private keys that are no longer
+ required due to issue of replacement.
+
+3.5.2. Example Key Termination Process
+
+ When it is determined that a private signature key is no longer
+ required:
+
+ 1. The signer stops using the private key for signature operations.
+
+ 2. The signer deletes all records of the private key, including in-
+ memory copies at the signing device.
+
+ 3. The signer notifies the DNS administration infrastructure that
+ the signing key is withdrawn from service and that the
+ corresponding key records can be withdrawn from service at a
+ specified future date.
+
+ 4. The DNS administration infrastructure verifies the authenticity
+ of the key selector termination request. If accepted,
+
+ 1. The key selector is scheduled for deletion at a future time
+ determined by site policy.
+
+ 2. Wait for deletion time to arrive.
+
+ 3. The signer either publishes a revocation key selector with an
+ empty public-key data (p=) field, or deletes the key selector
+ record entirely.
+
+ 5. As far as the verifier is concerned, there is no functional
+ difference between verifying against a key selector with an empty
+ p= field, and verifying against a missing key selector: both
+
+
+
+Hansen, et al. Informational [Page 20]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ result in a failed signature and the signature needs to be
+ treated as if it had not been there. However, there is a minor
+ semantic difference: with the empty p= field, the signer is
+ explicitly stating that the key has been revoked. The empty p=
+ record provides a gravestone for an old selector, making it less
+ likely that the selector might be accidentally reused with a
+ different public key.
+
+4. Signing
+
+ Creating messages that have one or more DKIM signatures requires
+ support in only two outbound email service components:
+
+ o A DNS Administrative interface that can create and maintain the
+ relevant DNS names -- including names with underscores -- and
+ resource records (RR).
+
+ o A trusted module, called the signing module, which is within the
+ organization's outbound email handling service and which creates
+ and adds the DKIM-Signature: header field(s) to the message.
+
+ If the module creates more than one signature, there needs to be the
+ appropriate means of telling it which one(s) to use. If a large
+ number of names are used for signing, it will help to have the
+ administrative tool support a batch-processing mode.
+
+4.1. DNS Records
+
+ A receiver attempting to verify a DKIM signature obtains the public
+ key that is associated with the signature for that message. The
+ DKIM-Signature: header in the message contains the d= tag with the
+ basic domain name doing the signing and serving as output to the
+ Identity Assessor and the s= tag with the selector that is added to
+ the name, for finding the specific public key. Hence, the relevant
+ <selector>._domainkey.<domain-name> DNS record needs to contain a
+ DKIM-related RR that provides the public key information.
+
+ The administrator of the zone containing the relevant domain name
+ adds this information. Initial DKIM DNS information is contained
+ within TXT RRs. DNS administrative software varies considerably in
+ its abilities to support DKIM names, such as with underscores, and to
+ add new types of DNS information.
+
+4.2. Signing Module
+
+ The module doing signing can be placed anywhere within an
+ organization's trusted Administrative Management Domain (ADMD);
+ obvious choices include department-level posting agents, as well as
+
+
+
+Hansen, et al. Informational [Page 21]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ outbound boundary MTAs to the open Internet. However, any other
+ module, including the author's MUA (Mail User Agent), is potentially
+ acceptable, as long as the signature survives any remaining handling
+ within the ADMD. Hence, the choice among the modules depends upon
+ software development, administrative overhead, security exposures,
+ and transit-handling tradeoffs. One perspective that helps to
+ resolve this choice is the difference between the increased
+ flexibility, from placement at (or close to) the MUA, versus the
+ streamlined administration and operation that is more easily obtained
+ by implementing the mechanism "deeper" into the organization's email
+ infrastructure, such as at its boundary MTA.
+
+ Note the discussion in Section 2.2 concerning the use of the i= tag.
+
+ The signing module uses the appropriate private key to create one or
+ more signatures. (See Section 6.5 for a discussion of multiple
+ signatures.) The means by which the signing module obtains the
+ private key(s) is not specified by DKIM. Given that DKIM is intended
+ for use during email transit, rather than for long-term storage, it
+ is expected that keys will be changed regularly. For administrative
+ convenience, it is best not to hard-code key information into
+ software.
+
+4.3. Signing Policies and Practices
+
+ Every organization (ADMD) will have its own policies and practices
+ for deciding when to sign messages (message stream) and with what
+ domain name, selector, and key. Examples of particular message
+ streams include all mail sent from the ADMD versus mail from
+ particular types of user accounts versus mail having particular types
+ of content. Given this variability, and the likelihood that signing
+ practices will change over time, it will be useful to have these
+ decisions represented through run-time configuration information,
+ rather than being hard-coded into the signing software.
+
+ As noted in Section 2.3, the choice of signing name granularity
+ requires balancing administrative convenience and utility for
+ recipients. Too much granularity is higher administrative overhead
+ and might well attempt to impose more differential analysis on the
+ recipient than they wish to support. In such cases, they are likely
+ to use only a super-name -- right-hand substring -- of the signing
+ name. When this occurs, the signer will not know what portion is
+ being used; this then moves DKIM back to the non-deterministic world
+ of heuristics, rather than the mechanistic world of signer/recipient
+ collaboration that DKIM seeks.
+
+
+
+
+
+
+Hansen, et al. Informational [Page 22]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+5. Verifying
+
+ A message recipient can verify a DKIM signature to determine if a
+ claim of responsibility has been made for the message by a trusted
+ domain.
+
+ Access control requires two components: authentication and
+ authorization. By design, verification of a DKIM signature only
+ provides the authentication component of an access control decision
+ and needs to be combined with additional sources of information such
+ as reputation data to arrive at an access control decision.
+
+5.1. Intended Scope of Use
+
+ DKIM requires that a message with a signature that is found to be
+ invalid is to be treated as if the message had not been signed at
+ all.
+
+ If a DKIM signature fails to verify, it is entirely possible that the
+ message is valid and that either there is a configuration error in
+ the signer's system (e.g., a missing key record) or that the message
+ was inadvertently modified in transit. It is thus undesirable for
+ mail infrastructure to treat messages with invalid signatures less
+ favorably than those with no signatures whatsoever. Contrariwise,
+ creation of an invalid signature requires a trivial amount of effort
+ on the part of an attacker. If messages with invalid signatures were
+ to be treated preferentially to messages with no signatures
+ whatsoever, attackers will simply add invalid signature blocks to
+ gain the preferential treatment. It follows that messages with
+ invalid signatures need to be treated no better and no worse than
+ those with no signature at all.
+
+5.2. Signature Scope
+
+ As with any other digital signature scheme, verifiers need to
+ consider only the part of the message that is inside the scope of the
+ message as being authenticated by the signature.
+
+ For example, if the l= option is employed to specify a content length
+ for the scope of the signature, only the part of the message that is
+ within the scope of the content signature would be considered
+ authentic.
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 23]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+5.3. Design Scope of Use
+
+ Public key cryptography provides an exceptionally high degree of
+ assurance, bordering on absolute certainty, that the party that
+ created a valid digital signature had access to the private key
+ corresponding to the public key indicated in the signature.
+
+ In order to make useful conclusions from the verification of a valid
+ digital signature, the verifier is obliged to make assumptions that
+ fall far short of absolute certainty. Consequently, mere validation
+ of a DKIM signature does not represent proof positive that a valid
+ claim of responsibility was made for it by the indicated party, that
+ the message is authentic, or that the message is not abusive. In
+ particular:
+
+ o The legitimate private key holder might have lost control of its
+ private key.
+
+ o The legitimate domain holder might have lost control of the DNS
+ server for the zone from which the key record was retrieved.
+
+ o The key record might not have been delivered from the legitimate
+ DNS server for the zone from which the key record was retrieved.
+
+ o Ownership of the DNS zone might have changed.
+
+ In practice, these limitations have little or no impact on the field
+ of use for which DKIM is designed, but they can have a bearing if use
+ is made of the DKIM message signature format or key retrieval
+ mechanism in other specifications.
+
+ In particular, the DKIM key retrieval mechanism is designed for ease
+ of use and deployment rather than to provide a high assurance Public
+ Key Infrastructure suitable for purposes that require robust non-
+ repudiation such as establishing legally binding contracts.
+ Developers seeking to extend DKIM beyond its design application need
+ to consider replacing or supplementing the DNS key retrieval
+ mechanism with one that is designed to meet the intended purposes.
+
+5.4. Inbound Mail Filtering
+
+ DKIM is frequently employed in a mail filtering strategy to avoid
+ performing content analysis on email originating from trusted
+ sources. Messages that carry a valid DKIM signature from a trusted
+ source can be whitelisted, avoiding the need to perform computation
+ and hence energy-intensive content analysis to determine the
+ disposition of the message.
+
+
+
+
+Hansen, et al. Informational [Page 24]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Mail sources can be determined to be trusted by means of previously
+ observed behavior and/or reference to external reputation or
+ accreditation services. The precise means by which this is
+ accomplished is outside the scope of DKIM.
+
+5.4.1. Non-Verifying Adaptive Spam Filtering Systems
+
+ Adaptive (or learning) spam filtering mechanisms that are not capable
+ of verifying DKIM signatures need to, at minimum, be configured to
+ ignore DKIM header data entirely.
+
+5.5. Messages Sent through Mailing Lists and Other Intermediaries
+
+ Intermediaries, such as mailing lists, pose a particular challenge
+ for DKIM implementations, as the message processing steps performed
+ by the intermediary can cause the message content to change in ways
+ that prevent the signature passing verification.
+
+ Such intermediaries are strongly encouraged to deploy DKIM signing so
+ that a verifiable claim of responsibility remains available to
+ parties attempting to verify the modified message.
+
+5.6. Generation, Transmission, and Use of Results Headers
+
+ In many deployments, it is desirable to separate signature
+ verification from the application relying on the verification. A
+ system can choose to relay information indicating the results of its
+ message authentication efforts using various means; adding a "results
+ header" to the message is one such mechanism [RFC5451]. For example,
+ consider the cases where:
+
+ o The application relying on DKIM signature verification is not
+ capable of performing the verification.
+
+ o The message can be modified after the signature verification is
+ performed.
+
+ o The signature key cannot be available by the time that the message
+ is read.
+
+ In such cases, it is important that the communication link between
+ the signature verifier and the relying application be sufficiently
+ secure to prevent insertion of a message that carries a bogus results
+ header.
+
+ An intermediary that generates results headers need to ensure that
+ relying applications are able to distinguish valid results headers
+ issued by the intermediary from those introduced by an attacker. For
+
+
+
+Hansen, et al. Informational [Page 25]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ example, this can be accomplished by signing the results header. At
+ a minimum, results headers on incoming messages need to be removed if
+ they purport to have been issued by the intermediary but cannot be
+ verified as authentic.
+
+ Further discussion on trusting the results as relayed from a verifier
+ to something downstream can be found in [RFC5451].
+
+6. Taxonomy of Signatures
+
+ As described in Section 2.1, a DKIM signature tells the signature
+ verifier that the owner of a particular domain name accepts some
+ responsibility for the message. It does not, in and of itself,
+ provide any information about the trustworthiness or behavior of that
+ identity. What it does provide is a verified identity to which such
+ behavioral information can be associated, so that those who collect
+ and use such information can be assured that it truly pertains to the
+ identity in question.
+
+ This section lays out a taxonomy of some of the different identities,
+ or combinations of identities, that might usefully be represented by
+ a DKIM signature.
+
+6.1. Single Domain Signature
+
+ Perhaps the simplest case is when an organization signs its own
+ outbound email using its own domain in the SDID [RFC5672] of the
+ signature. For example, Company A would sign the outbound mail from
+ its employees with d=companyA.example.
+
+ In the most straightforward configuration, the addresses in the
+ RFC5322.From field would also be in the companyA.example domain, but
+ that direct correlation is not required.
+
+ A special case of the single domain signature is an author signature
+ as defined by the Author Domain Signing Practices specification
+ [RFC5617]. Author signatures are signatures from an author's
+ organization that have an SDID value that matches that of an
+ RFC5322.From address of the signed message.
+
+ Although an author signature might, in some cases, be proof against
+ spoofing the domain name of the RFC5322.From address, it is important
+ to note that the DKIM and ADSP validation apply only to the exact
+ address string and not to look-alike addresses or to the human-
+ friendly "display-name" or names and addresses used within the body
+ of the message. That is, it only protects against the misuse of a
+ precise address string within the RFC5322.From field and nothing
+ else. For example, a message from bob@domain.example with a valid
+
+
+
+Hansen, et al. Informational [Page 26]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ signature where d=d0main.example would fail an ADSP check because the
+ signature domain, however similar, is distinct; however, a message
+ from bob@d0main.example with a valid signature where d=d0main.example
+ would pass an ADSP check, even though to a human it might be obvious
+ that d0main.example is likely a malicious attempt to spoof the domain
+ domain.example. This example highlights that ADSP, like DKIM, is
+ only able to validate a signing identifier: it still requires some
+ external process to attach a meaningful reputation to that
+ identifier.
+
+6.2. Parent Domain Signature
+
+ Another approach that might be taken by an organization with multiple
+ active subdomains is to apply the same (single) signature domain to
+ mail from all subdomains. In this case, the signature chosen would
+ usually be the signature of a parent domain common to all subdomains.
+ For example, mail from marketing.domain.example,
+ sales.domain.example, and engineering.domain.example might all use a
+ signature where d=domain.example.
+
+ This approach has the virtue of simplicity, but it is important to
+ consider the implications of such a choice. As discussed in
+ Section 2.3, if the type of mail sent from the different subdomains
+ is significantly different or if there is reason to believe that the
+ reputation of the subdomains would differ, then it can be a good idea
+ to acknowledge this and provide distinct signatures for each of the
+ subdomains (d=marketing.domain.example, sales.domain.example, etc.).
+ However, if the mail and reputations are likely to be similar, then
+ the simpler approach of using a single common parent domain in the
+ signature can work well.
+
+ Another approach to distinguishing the streams using a single DKIM
+ key would be to leverage the AUID [RFC5672] (i= tag) in the DKIM
+ signature to differentiate the mail streams. For example, marketing
+ email would be signed with i=@marketing.domain.example and
+ d=domain.example.
+
+ It's important to remember, however, that under core DKIM semantics,
+ the AUID is opaque to receivers. That means that it will only be an
+ effective differentiator if there is an out-of-band agreement about
+ the i= semantics.
+
+6.3. Third-Party Signature
+
+ A signature whose domain does not match the domain of the
+ RFC5322.From address is sometimes referred to as a third-party
+ signature. In certain cases, even the parent domain signature
+
+
+
+
+Hansen, et al. Informational [Page 27]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ described above would be considered a third-party signature because
+ it would not be an exact match for the domain in the RFC5322.From
+ address.
+
+ Although there is often heated debate about the value of third party
+ signatures, it is important to note that the DKIM specification
+ attaches no particular significance to the identity in a DKIM
+ signature ([RFC4871], [RFC5672]). The identity specified within the
+ signature is the identity that is taking responsibility for the
+ message, and it is only the interpretation of a given receiver that
+ gives one identity more or less significance than another. In
+ particular, most independent reputation services assign trust based
+ on the specific identifier string, not its "role": in general they
+ make no distinction between, for example, an author signature and a
+ third-party signature.
+
+ For some, a signature unrelated to the author domain (the domain in
+ the RFC5322.From address) is less valuable because there is an
+ assumption that the presence of an author signature guarantees that
+ the use of the address in the RFC5322.From header is authorized.
+
+ For others, that relevance is tied strictly to the recorded
+ behavioral data assigned to the identity in question, i.e., its trust
+ assessment or reputation. The reasoning here is that an identity
+ with a good reputation is unlikely to maintain that good reputation
+ if it is in the habit of vouching for messages that are unwanted or
+ abusive; in fact, doing so will rapidly degrade its reputation so
+ that future messages will no longer benefit from it. It is therefore
+ low risk to facilitate the delivery of messages that contain a valid
+ signature of a domain with a strong positive reputation, independent
+ of whether or not that domain is associated with the address in the
+ RFC5322.From header field of the message.
+
+ Third-party signatures encompass a wide range of identities. Some of
+ the more common are:
+
+ Service Provider: In cases where email is outsourced to an Email
+ Service Provider (ESP), Internet Service Provider (ISP), or other
+ type of service provider, that service provider can choose to
+ DKIM-sign outbound mail with either its own identifier -- relying
+ on its own, aggregate reputation -- or with a subdomain of the
+ provider that is unique to the message author but still part of
+ the provider's aggregate reputation. Such service providers can
+ also encompass delegated business functions such as benefit
+ management, although these will more often be treated as trusted
+ third-party senders (see below).
+
+
+
+
+
+Hansen, et al. Informational [Page 28]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Parent Domain: As discussed above, organizations choosing to apply a
+ parent-domain signature to mail originating from subdomains can
+ have their signatures treated as third party by some verifiers,
+ depending on whether or not the "t=s" tag is used to constrain the
+ parent signature to apply only to its own specific domain. The
+ default is to consider a parent-domain signature valid for its
+ subdomains.
+
+ Reputation Provider: Another possible category of third-party
+ signature would be the identity of a third-party reputation
+ provider. Such a signature would indicate to receivers that the
+ message was being vouched for by that third party.
+
+6.4. Using Trusted Third-Party Senders
+
+ For most of the cases described so far, there has been an assumption
+ that the signing agent was responsible for creating and maintaining
+ its own DKIM signing infrastructure, including its own keys, and
+ signing with its own identity.
+
+ A different model arises when an organization uses a trusted third-
+ party sender for certain key business functions, but still wants that
+ email to benefit from the organization's own identity and reputation.
+ In other words, the mail would come out of the trusted third party's
+ mail servers, but the signature applied would be that of the
+ controlling organization.
+
+ This can be done by having the third party generate a key pair that
+ is designated uniquely for use by that trusted third party and
+ publishing the public key in the controlling organization's DNS
+ domain, thus enabling the third party to sign mail using the
+ signature of the controlling organization. For example, if Company A
+ outsources its employee benefits to a third party, it can use a
+ special key pair that enables the benefits company to sign mail as
+ "companyA.example". Because the key pair is unique to that trusted
+ third party, it is easy for Company A to revoke the authorization if
+ necessary by simply removing the public key from the companyA.example
+ DNS.
+
+ A more cautious approach would be to create a dedicated subdomain
+ (e.g., benefits.companyA.example) to segment the outsourced mail
+ stream, and to publish the public key there; the signature would then
+ use d=benefits.companyA.example.
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 29]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+6.4.1. DNS Delegation
+
+ Another possibility for configuring trusted third-party access, as
+ discussed in Section 3.4, is to have Company A use DNS delegation and
+ have the designated subdomain managed directly by the trusted third
+ party. In this case, Company A would create a subdomain
+ benefits.companya.example, and delegate the DNS management of that
+ subdomain to the benefits company so it could maintain its own key
+ records. When revocation becomes necessary, Company A could simply
+ remove the DNS delegation record.
+
+6.5. Multiple Signatures
+
+ A simple configuration for DKIM-signed mail is to have a single
+ signature on a given message. This works well for domains that
+ manage and send all of their own email from single sources, or for
+ cases where multiple email streams exist but each has its own unique
+ key pair. It also represents the case in which only one of the
+ participants in an email sequence is able to sign, no matter whether
+ it represents the author or one of the operators.
+
+ The examples thus far have considered the implications of using
+ different identities in DKIM signatures, but have used only one such
+ identity for any given message. In some cases, it can make sense to
+ have more than one identity claiming responsibility for the same
+ message.
+
+ There are a number of situations where applying more than one DKIM
+ signature to the same message might make sense. A few examples are:
+
+ Companies with multiple subdomain identities: A company that has
+ multiple subdomains sending distinct categories of mail might
+ choose to sign with distinct subdomain identities to enable each
+ subdomain to manage its own identity. However, it might also want
+ to provide a common identity that cuts across all of the distinct
+ subdomains. For example, Company A can sign mail for its sales
+ department with a signature where d=sales.companya.example and a
+ second signature where d=companya.example
+
+ Service Providers: A service provider can, as described above,
+ choose to sign outbound messages with either its own identity or
+ an identity unique to each of its clients (possibly delegated).
+ However, it can also do both: sign each outbound message with its
+ own identity as well as with the identity of each individual
+ client. For example, ESP A might sign mail for its client Company
+ B with its service provider signature d=espa.example, and a second
+ client-specific signature where d= either companyb.example or
+ companyb.espa.example. The existence of the service provider
+
+
+
+Hansen, et al. Informational [Page 30]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ signature could, for example, help cover a new client while it
+ establishes its own reputation, or help a very small volume client
+ who might never reach a volume threshold sufficient to establish
+ an individual reputation.
+
+ Forwarders: Forwarded mail poses a number of challenges to email
+ authentication. DKIM is relatively robust in the presence of
+ forwarders as long as the signature is designed to avoid message
+ parts that are likely to be modified; however, some forwarders do
+ make modifications that can invalidate a DKIM signature.
+
+ Some forwarders such as mailing lists or "forward article to a
+ friend" services might choose to add their own signatures to
+ outbound messages to vouch for them having legitimately originated
+ from the designated service. In this case, the signature would be
+ added even in the presence of a preexisting signature, and both
+ signatures would be relevant to the verifier.
+
+ Any forwarder that modifies messages in ways that will break
+ preexisting DKIM signatures needs to sign its forwarded messages.
+
+ Reputation Providers: Although third-party reputation providers
+ today use a variety of protocols to communicate their information
+ to receivers, it is possible that they, or other organizations
+ willing to put their "seal of approval" on an email stream, might
+ choose to use a DKIM signature to do it. In nearly all cases,
+ this "reputation" signature would be in addition to the author or
+ originator signature.
+
+ One important caveat to the use of multiple signatures is that there
+ is currently no clear consensus among receivers on how they plan to
+ handle them. The opinions range from ignoring all but one signature
+ (and the specification of which of them is verified differs from
+ receiver to receiver), to verifying all signatures present and
+ applying a weighted blend of the trust assessments for those
+ identifiers, to verifying all signatures present and simply using the
+ identifier that represents the most positive trust assessment. It is
+ likely that the industry will evolve to accept multiple signatures
+ using either the second or third of these, but it can take some time
+ before one approach becomes pervasive.
+
+7. Example Usage Scenarios
+
+ Signatures are created by different types of email actors, based on
+ different criteria, such as where the actor operates in the sequence
+ from author to recipient, whether they want different messages to be
+ evaluated under the same reputation or a different one, and so on.
+
+
+
+
+Hansen, et al. Informational [Page 31]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ This section provides some examples of usage scenarios for DKIM
+ deployments; the selection is not intended to be exhaustive but to
+ illustrate a set of key deployment considerations.
+
+7.1. Author's Organization - Simple
+
+ The simplest DKIM configuration is to have some mail from a given
+ organization (Company A) be signed with the same d= value (e.g.,
+ d=companya.example). If there is a desire to associate additional
+ information, the AUID [RFC5672] value can become
+ uniqueID@companya.example, or @uniqueID.companya.example.
+
+ In this scenario, Company A need only generate a single signing key
+ and publish it under their top-level domain (companya.example); the
+ signing module would then tailor the AUID value as needed at signing
+ time.
+
+7.2. Author's Organization - Differentiated Types of Mail
+
+ A slight variation of the one signature case is where Company A signs
+ some of its mail, but it wants to differentiate among categories of
+ its outbound mail by using different identifiers. For example, it
+ might choose to distinguish marketing, billing or transactional, and
+ individual corporate email into marketing.companya.example,
+ billing.companya.example, and companya.example, respectively, where
+ each category is assigned a unique subdomain and unique signing keys.
+
+7.3. Author Domain Signing Practices
+
+7.3.1. Introduction
+
+ Some domains might decide to sign all of their outgoing mail. If all
+ of the legitimate mail for a domain is signed, recipients can be more
+ aggressive in their filtering of mail that uses the domain but does
+ not have a valid signature from the domain; in such a configuration,
+ the absence of a signature would be more significant than for the
+ general case. It might be desirable for such domains to be able to
+ advertise their intent to other receivers: this is the topic of
+ Author Domain Signing Practices (ADSP).
+
+ Note that ADSP is not for everyone. Sending domains that do not
+ control all legitimate outbound mail purporting to be from their
+ domain (i.e., with an RFC5322.From address in their domain) are
+ likely to experience delivery problems with some percentage of that
+ mail. Administrators evaluating ADSP for their domains needs to
+ carefully weigh the risk of phishing attacks against the likelihood
+ of undelivered mail.
+
+
+
+
+Hansen, et al. Informational [Page 32]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ This section covers some examples of ADSP usage. For the complete
+ specification, see [RFC5617].
+
+7.3.2. A Few Definitions
+
+ In the ADSP specification, an address in the RFC5322.From header
+ field of a message is defined as an "Author Address", and an "Author
+ Domain" is defined as anything to the right of the '@' in an author
+ address.
+
+ An "Author Signature" is thus any valid signature where the value of
+ the SDID matches an author domain in the message.
+
+ It is important to note that unlike the DKIM specification, which
+ makes no correlation between the signature domain and any message
+ headers, the ADSP specification applies only to the author domain.
+ In essence, under ADSP, any non-author signatures are ignored
+ (treated as if they are not present).
+
+ Signers wishing to publish an Author Domain Signing Practices (ADSP)
+ [RFC5617] record describing their signing practices will thus want to
+ include an author signature on their outbound mail to avoid ADSP
+ verification failures.
+
+7.3.3. Some ADSP Examples
+
+ An organization (Company A) can specify its signing practices by
+ publishing an ADSP record with "dkim=all" or "dkim=discardable". In
+ order to avoid misdelivery of its mail at receivers that are
+ validating ADSP, Company A needs to first have done an exhaustive
+ analysis to determine all sources of outbound mail from its domain
+ (companyA.example) and ensure that they all have valid author
+ signatures from that domain.
+
+ For example, email with an RFC5322.From address of bob@
+ companyA.example needs to have an author signature where the SDID
+ value is "companyA.example" or it will fail an ADSP validation.
+
+ Note that once an organization publishes an ADSP record using
+ dkim=all or dkim=discardable, any email with an RFC5322.From address
+ that uses the domain where the ADSP record is published that does not
+ have a valid author signature is at risk of being misdelivered or
+ discarded. For example, if a message with an RFC5322.From address of
+ newsletter@companyA.example has a signature with
+ d=marketing.companyA.example, that message will fail the ADSP check
+ because the signature would not be considered a valid author
+ signature.
+
+
+
+
+Hansen, et al. Informational [Page 33]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Because the semantics of an ADSP author signature are more
+ constrained than the semantics of a "pure" DKIM signature, it is
+ important to make sure the nuances are well understood before
+ deploying an ADSP record. The ADSP specification [RFC5617] provides
+ some fairly extensive lookup examples (in Appendix A) and usage
+ examples (in Appendix B).
+
+ In particular, in order to prevent mail from being negatively
+ impacted or even discarded at the receiver, it is essential to
+ perform a thorough survey of outbound mail from a domain before
+ publishing an ADSP policy of anything stronger than "unknown". This
+ includes mail that might be sent from external sources that might not
+ be authorized to use the domain signature, as well as mail that risks
+ modification in transit that might invalidate an otherwise valid
+ author signature (e.g., mailing lists, courtesy forwarders, and other
+ paths that could add or modify headers or modify the message body).
+
+7.4. Delegated Signing
+
+ An organization might choose to outsource certain key services to an
+ independent company. For example, Company A might outsource its
+ benefits management, or Organization B might outsource its marketing
+ email.
+
+ If Company A wants to ensure that all of the mail sent on its behalf
+ through the benefits providers email servers shares the Company A
+ reputation, as discussed in Section 6.4, it can either publish keys
+ designated for the use of the benefits provider under
+ companyA.example (preferably under a designated subdomain of
+ companyA.example), or it can delegate a subdomain (e.g.,
+ benefits.companyA.example) to the provider and enable the provider to
+ generate the keys and manage the DNS for the designated subdomain.
+
+ In both of these cases, mail would be physically going out of the
+ benefit provider's mail servers with a signature of, e.g.,
+ d=benefits.companya.example. Note that the RFC5322.From address is
+ not constrained: it could be affiliated with either the benefits
+ company (e.g., benefits-admin@benefitprovider.example, or
+ benefits-provider@benefits.companya.example) or the companyA domain.
+
+ Note that in both of the above scenarios, as discussed in
+ Section 3.4, security concerns dictate that the keys be generated by
+ the organization that plans to do the signing so that there is no
+ need to transfer the private key. In other words, the benefits
+ provider would generate keys for both of the above scenarios.
+
+
+
+
+
+
+Hansen, et al. Informational [Page 34]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+7.5. Independent Third-Party Service Providers
+
+ Another way to manage the service provider configuration would be to
+ have the service provider sign the outgoing mail on behalf of its
+ client, Company A, with its own (provider) identifier. For example,
+ an Email Service Provider (ESP A) might want to share its own mailing
+ reputation with its clients, and might sign all outgoing mail from
+ its clients with its own d= domain (e.g., d=espa.example).
+
+ When the ESP wants to distinguish among its clients, it has two
+ options:
+
+ o Share the SDID domain and use the AUID value to distinguish among
+ the clients, e.g., a signature on behalf of client A would have
+ d=espa.example and i=@clienta.espa.example (or
+ i=clienta@espa.example).
+
+ o Extend the SDID domain, so there is a unique value (and subdomain)
+ for each client, e.g., a signature on behalf of client A would
+ have d=clienta.espa.example.
+
+ Note that this scenario and the delegation scenario are not mutually
+ exclusive. In some cases, it can be desirable to sign the same
+ message with both the ESP and the ESP client identities.
+
+7.6. Mail Streams Based on Behavioral Assessment
+
+ An ISP (ISP A) might want to assign signatures to outbound mail from
+ its users according to each user's past sending behavior
+ (reputation). In other words, the ISP would segment its outbound
+ traffic according to its own assessment of message quality, to aid
+ recipients in differentiating among these different streams. Since
+ the semantics of behavioral assessments are not valid AUID values,
+ ISP A (ispa.example) can configure subdomains corresponding to the
+ assessment categories (e.g., good.ispa.example, neutral.ispa.example,
+ bad.ispa.example), and use these subdomains in the d= value of the
+ signature.
+
+ The signing module can also set the AUID value to have a unique user
+ ID (distinct from the local-part of the user's email address), for
+ example, user3456@neutral.domain.example. Using a user ID that is
+ distinct from a given email alias is useful in environments where a
+ single user might register multiple email aliases.
+
+ Note that in this case, the AUID values are only partially stable.
+ They are stable in the sense that a given i= value will always
+ represent the same identity, but they are unstable in the sense that
+
+
+
+
+Hansen, et al. Informational [Page 35]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ a given user can migrate among the assessment subdomains depending on
+ their sending behavior (i.e., the same user might have multiple AUID
+ values over the lifetime of a single account).
+
+ In this scenario, ISP A can generate as many keys as there are
+ assessment subdomains (SDID values), so that each assessment
+ subdomain has its own key. The signing module would then choose its
+ signing key based on the assessment of the user whose mail was being
+ signed, and if desired, include the user ID in the AUID of the
+ signature. As discussed earlier, the per-user granularity of the
+ AUID can be ignored by verifiers; so organizations choosing to use it
+ ought not rely on its use for receiver side filtering results.
+ However, some organizations might also find the information useful
+ for their own purposes in processing bounces or abuse reports.
+
+7.7. Agent or Mediator Signatures
+
+ Another scenario is that of an agent, usually a re-mailer of some
+ kind, that signs on behalf of the service or organization that it
+ represents. Some examples of agents might be a mailing list manager,
+ or the "forward article to a friend" service that many online
+ publications offer. In most of these cases, the signature is
+ asserting that the message originated with, or was relayed by, the
+ service asserting responsibility. In general, if the service is
+ configured in such a way that its forwarding would break existing
+ DKIM signatures, it needs to always add its own signature.
+
+8. Usage Considerations
+
+8.1. Non-Standard Submission and Delivery Scenarios
+
+ The robustness of DKIM's verification mechanism is based on the fact
+ that only authorized signing modules have access to the designated
+ private key. This has the side effect that email submission and
+ delivery scenarios that originate or relay messages from outside the
+ domain of the authorized signing module will not have access to that
+ protected private key, and thus will be unable to attach the expected
+ domain signature to those messages. Such scenarios include mailing
+ lists, courtesy forwarders, MTAs at hotels, hotspot networks used by
+ traveling users, and other paths that could add or modify headers, or
+ modify the message body.
+
+ For example, assume Joe works for Company A and has an email address
+ joe@companya.example. Joe also has an ISP-1 account
+ joe@isp1.example.com, and he uses ISP-1's multiple address feature to
+ attach his work email address, joe@companya.example, to email from
+ his ISP-1 account. When Joe sends email from his ISP-1 account and
+ uses joe@companya.example as his designated RFC5322.From address,
+
+
+
+Hansen, et al. Informational [Page 36]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ that email cannot have a signature with d=companya.example because
+ the ISP-1 servers have no access to Company A's private key. In
+ ISP-1's case, it will have an ISP-1 signature, but for some other
+ mail clients offering the same multiple address feature there might
+ be no signature at all on the message.
+
+ Another example might be the use of a forward article to a friend
+ service. Most instances of these services today allow someone to
+ send an article with their email address in the RFC5322.From to their
+ designated recipient. If Joe used either of his two addresses
+ (joe@companya.example or joe@isp1.example.com), the forwarder would
+ be equally unable to sign with a corresponding domain. As in the
+ mail client case, the forwarder can either sign as its own domain or
+ put no signature on the message.
+
+ A third example is the use of privately configured forwarding.
+ Assume that Joe has another account at ISP-2, joe@isp-2.example.com,
+ but he'd prefer to read his ISP-2 mail from his ISP-1 account. He
+ sets up his ISP-2 account to forward all incoming mail to
+ joe@isp1.example.com. Assume alice@companyb.example sends
+ joe@isp-2.example.com an email. Depending on how companyb.example
+ configured its signature, and depending on whether or not ISP-2
+ modifies messages that it forwards, it is possible that when Alice's
+ message is received in Joe's ISP-1 account, the original signature
+ will fail verification.
+
+8.2. Protection of Internal Mail
+
+ One identity is particularly amenable to easy and accurate
+ assessment: the organization's own identity. Members of an
+ organization tend to trust messages that purport to be from within
+ that organization. However, Internet Mail does not provide a
+ straightforward means of determining whether such mail is, in fact,
+ from within the organization. DKIM can be used to remedy this
+ exposure. If the organization signs all of its mail, then its
+ boundary MTAs can look for mail purporting to be from the
+ organization that does not contain a verifiable signature.
+
+ Such mail can, in most cases, be presumed to be spurious. However,
+ domain managers are advised to consider the ways that mail processing
+ can modify messages in ways that will invalidate an existing DKIM
+ signature: mailing lists, courtesy forwarders, and other paths that
+ could add or modify headers or modify the message body (e.g., MTAs at
+ hotels, hotspot networks used by traveling users, and other scenarios
+ described in the previous section). Such breakage is particularly
+ relevant in the presence of Author Domain Signing Practices.
+
+
+
+
+
+Hansen, et al. Informational [Page 37]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+8.3. Signature Granularity
+
+ Although DKIM's use of domain names is optimized for a scope of
+ organization-level signing, it is possible to administer subdomains
+ or otherwise adjust signatures in a way that supports per-user
+ identification. This user-level granularity can be specified in two
+ ways: either by sharing the signing identity and specifying an
+ extension to the i= value that has a per-user granularity or by
+ creating and signing with unique per-user keys.
+
+ A subdomain or local part in the i= tag needs to be treated as an
+ opaque identifier and thus need not correspond directly to a DNS
+ subdomain or be a specific user address.
+
+ The primary way to sign with per-user keys requires each user to have
+ a distinct DNS (sub)domain, where each distinct d= value has a key
+ published. (It is possible, although not advised, to publish the
+ same key in more than one distinct domain.)
+
+ It is technically possible to publish per-user keys within a single
+ domain or subdomain by utilizing different selector values. This is
+ not advised and is unlikely to be treated uniquely by Assessors: the
+ primary purpose of selectors is to facilitate key management, and the
+ DKIM specification recommends against using them in determining or
+ assessing identities.
+
+ In most cases, it would be impractical to sign email on a per-user
+ granularity. Such an approach would be
+
+ likely to be ignored: In most cases today, if receivers are
+ verifying DKIM signatures, they are in general taking the simplest
+ possible approach. In many cases, maintaining reputation
+ information at a per-user granularity is not interesting to them,
+ in large part because the per-user volume is too small to be
+ useful or interesting. So even if senders take on the complexity
+ necessary to support per-user signatures, receivers are unlikely
+ to retain anything more than the base domain reputation.
+
+ difficult to manage: Any scheme that involves maintenance of a
+ significant number of public keys might require infrastructure
+ enhancements or extensive administrative expertise. For domains
+ of any size, maintaining a valid per-user keypair, knowing when
+ keys need to be revoked or added due to user attrition or
+ onboarding, and the overhead of having the signing engine
+ constantly swapping keys can create significant and often
+ unnecessary management complexity. It is also important to note
+
+
+
+
+
+Hansen, et al. Informational [Page 38]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ that there is no way within the scope of the DKIM specification
+ for a receiver to infer that a sender intends a per-user
+ granularity.
+
+ As mentioned before, what might make sense, however, is to use the
+ infrastructure that enables finer granularity in signatures to
+ identify segments smaller than a domain but much larger than a per-
+ user segmentation. For example, a university might want to segment
+ student, staff, and faculty mail into three distinct streams with
+ differing reputations. This can be done by creating separate
+ subdomains for the desired segments, and either specifying the
+ subdomains in the i= tag of the DKIM Signature or by adding
+ subdomains to the d= tag and assigning and signing with different
+ keys for each subdomain.
+
+ For those who choose to represent user-level granularity in
+ signatures, the performance and management considerations above
+ suggest that it would be more effective to do so by specifying a
+ local part or subdomain extension in the i= tag rather than by
+ extending the d= domain and publishing individual keys.
+
+8.4. Email Infrastructure Agents
+
+ It is expected that the most common venue for a DKIM implementation
+ will be within the infrastructure of an organization's email service,
+ such as a department or a boundary MTA. What follows are some
+ general recommendations for the Email Infrastructure.
+
+ Outbound: An MSA (Mail Submission Agent) or an outbound MTA used
+ for mail submission needs to ensure that the message sent is in
+ compliance with the advertised email sending policy. It needs
+ to also be able to generate an operator alert if it determines
+ that the email messages do not comply with the published DKIM
+ sending policy.
+
+ An MSA needs to be aware that some MUAs might add their own
+ signatures. If the MSA needs to perform operations on a
+ message to make it comply with its email sending policy, if at
+ all possible, it needs to do so in a way that would not break
+ those signatures.
+
+ MUAs equipped with the ability to sign ought not to be
+ encouraged. In terms of security, MUAs are generally not under
+ the direct control of those in responsible roles within an
+ organization and are thus more vulnerable to attack and
+ compromise, which would expose private signing keys to
+ intruders and thus jeopardize the integrity and reputation of
+ the organization.
+
+
+
+Hansen, et al. Informational [Page 39]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Inbound: When an organization deploys DKIM, it needs to make
+ sure that its email infrastructure components that do not have
+ primary roles in DKIM handling do not modify message in ways
+ that prevent subsequent verification.
+
+ An inbound MTA or an MDA can incorporate an indication of the
+ verification results into the message, such as using an
+ Authentication-Results header field [RFC5451].
+
+ Intermediaries: An email intermediary is both an inbound and
+ outbound MTA. Each of the requirements outlined in the
+ sections relating to MTAs apply. If the intermediary modifies
+ a message in a way that breaks the signature, the intermediary.
+
+ + needs to deploy abuse filtering measures on the inbound
+ mail, and
+
+ + probably also needs to remove all signatures that will be
+ broken.
+
+ In addition, the intermediary can:
+
+ + verify the message signature prior to modification.
+
+ + incorporate an indication of the verification results into
+ the message, such as using an Authentication-Results header
+ field [RFC5451].
+
+ + sign the modified message including the verification results
+ (e.g., the Authentication-Results header field).
+
+8.5. Mail User Agent
+
+ The DKIM specification is expected to be used primarily between
+ Boundary MTAs, or other infrastructure components of the originating
+ and receiving ADMDs. However, there is nothing in DKIM that is
+ specific to those venues. In particular, MUAs can also support DKIM
+ signing and verifying directly.
+
+ Outbound: An MUA can support signing even if mail is to be
+ relayed through an outbound MSA. In this case, the signature
+ applied by the MUA will be in addition to any signature added
+ by the MSA. However, the warnings in the previous section need
+ to be taken into consideration.
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 40]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Some user software goes beyond simple user functionality and
+ also performs MSA and MTA functions. When this is employed for
+ sending directly to a receiving ADMD, the user software needs
+ to be considered an outbound MTA.
+
+ Inbound: An MUA can rely on a report of a DKIM signature
+ verification that took place at some point in the inbound MTA/
+ MDA path (e.g., an Authentication-Results header field), or an
+ MUA can perform DKIM signature verification directly. A
+ verifying MUA needs to allow for the case where mail has been
+ modified in the inbound MTA path; if a signature fails, the
+ message is to be treated the same as a message that does not
+ have a signature.
+
+ An MUA that looks for an Authentication-Results header field
+ needs to be configurable to choose which Authentication-Results
+ header fields are considered trustable. The MUA developer is
+ encouraged to re-read the Security Considerations of [RFC5451].
+
+ DKIM requires that all verifiers treat messages with signatures
+ that do not verify as if they are unsigned.
+
+ If verification in the client is to be acceptable to users, it
+ is essential that successful verification of a signature not
+ result in a less than satisfactory user experience compared to
+ leaving the message unsigned. The mere presence of a verified
+ DKIM signature cannot be used by itself by an MUA to indicate
+ that a message is to be treated better than a message without a
+ verified DKIM signature. However, the fact that a DKIM
+ signature was verified can be used as input into a reputation
+ system (i.e., a whitelist of domains and users) for
+ presentation of such indicators.
+
+ It is common for components of an ADMD's email infrastructure to do
+ violence to a message, such that a DKIM signature might be rendered
+ invalid. Hence, users of MUAs that support DKIM signing and/or
+ verifying need a basis for knowing that their associated email
+ infrastructure will not break a signature.
+
+9. Security Considerations
+
+ The security considerations of the DKIM protocol are described in the
+ DKIM base specification [RFC4871].
+
+10. Acknowledgements
+
+ The effort of the DKIM Working Group is gratefully acknowledged.
+
+
+
+
+Hansen, et al. Informational [Page 41]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+11. References
+
+11.1. Normative References
+
+ [RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton,
+ J., and M. Thomas, "DomainKeys Identified Mail (DKIM)
+ Signatures", RFC 4871, May 2007.
+
+ [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
+ October 2008.
+
+ [RFC5451] Kucherawy, M., "Message Header Field for Indicating
+ Message Authentication Status", RFC 5451, April 2009.
+
+ [RFC5585] Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
+ Identified Mail (DKIM) Service Overview", RFC 5585,
+ July 2009.
+
+ [RFC5617] Allman, E., Fenton, J., Delany, M., and J. Levine,
+ "DomainKeys Identified Mail (DKIM) Author Domain Signing
+ Practices (ADSP)", RFC 5617, August 2009.
+
+ [RFC5672] Crocker, D., "RFC 4871 DomainKeys Identified Mail (DKIM)
+ Signatures -- Update", RFC 5672, August 2009.
+
+11.2. Informative References
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4870] Delany, M., "Domain-Based Email Authentication Using
+ Public Keys Advertised in the DNS (DomainKeys)", RFC 4870,
+ May 2007.
+
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+ Security (DNSSEC) Hashed Authenticated Denial of
+ Existence", RFC 5155, March 2008.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 42]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+Appendix A. Migration Strategies
+
+ There are three migration occasions worth noting in particular for
+ DKIM:
+
+ 1. Migrating from DomainKeys to DKIM.
+
+ 2. Migrating from a current hash algorithm to a new standardized
+ hash algorithm.
+
+ 3. Migrating from a current signing algorithm to a new standardized
+ signing algorithm.
+
+ The case of deploying a new key selector record is described
+ elsewhere (Section 3.5).
+
+ As with any migration, the steps required will be determined by who
+ is doing the migration and their assessment of:
+
+ o the users of what they are generating, or
+
+ o the providers of what they are consuming.
+
+ Signers and verifiers have different considerations.
+
+A.1. Migrating from DomainKeys
+
+ DKIM replaces the earlier DomainKeys (DK) specification. Selector
+ files are mostly compatible between the two specifications.
+
+A.1.1. Signers
+
+ A signer that currently signs with DK will go through various stages
+ as it migrates to using DKIM, not all of which are required for all
+ signers. The real questions that a signer needs to ask are:
+
+ 1. how many receivers or what types of receivers are *only* looking
+ at the DK signatures and not the DKIM signatures, and
+
+ 2. how much does the signer care about those receivers?
+
+ If no one is looking at the DK signature any more, then it's no
+ longer necessary to sign with DK. Or if all "large players" are
+ looking at DKIM in addition to or instead of DK, a signer can choose
+ to stop signing with DK.
+
+
+
+
+
+
+Hansen, et al. Informational [Page 43]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ With respect to signing policies, a reasonable, initial approach is
+ to use DKIM signatures in the same way that DomainKeys signatures are
+ already being used. In particular, the same selectors and DNS key
+ records can be used for both, after verifying that they are
+ compatible as discussed below.
+
+ Each secondary step in all of the following scenarios is to be
+ prefaced with the gating factor "test, then when comfortable with the
+ previous step's results, continue".
+
+ One migration strategy is to:
+
+ o ensure that the current selector DNS key record is compatible with
+ both DK and DKIM
+
+ o sign messages with both DK and DKIM signatures
+
+ o when it's decided that DK signatures are no longer necessary, stop
+ signing with DK
+
+ Another migration strategy is to:
+
+ o add a new selector DNS key record only for DKIM signatures
+
+ o sign messages with both DK (using the old DNS key record) and DKIM
+ signatures (using the new DNS key record)
+
+ o when it's decided that DK signatures are no longer necessary, stop
+ signing with DK
+
+ o eventually remove the old DK selector DNS record
+
+ A combined migration strategy is to:
+
+ o ensure that the current selector DNS key record is compatible with
+ both DK and DKIM
+
+ o start signing messages with both DK and DKIM signatures
+
+ o add a new selector DNS key record for DKIM signatures
+
+ o switch the DKIM signatures to use the new selector
+
+ o when it's decided that DK signatures are no longer necessary, stop
+ signing with DK
+
+ o eventually remove the old DK selector DNS record
+
+
+
+
+Hansen, et al. Informational [Page 44]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ Another migration strategy is to:
+
+ o add a new selector DNS key record for DKIM signatures
+
+ o do a flash cut and replace the DK signatures with DKIM signatures
+
+ o eventually remove the old DK selector DNS record
+
+ Another migration strategy is to:
+
+ o ensure that the current selector DNS key record is compatible with
+ both DK and DKIM
+
+ o do a flash cut and replace the DK signatures with DKIM signatures
+
+ Note that when you have separate key records for DK and DKIM, you can
+ use the same public key for both.
+
+A.1.1.1. DNS Selector Key Records
+
+ The first step in some of the above scenarios is ensuring that the
+ selector DNS key records are compatible for both DK and DKIM. The
+ format of the DNS key record was intentionally meant to be backwardly
+ compatible between the two systems, but not necessarily upwardly
+ compatible. DKIM has enhanced the DK DNS key record format by adding
+ several optional parameters, which DK needs to ignore. However,
+ there is one critical difference between DK and DKIM DNS key records.
+ The definitions of the "g" fields:
+
+ g= granularity of the key: In both DK and DKIM, this is an optional
+ field that is used to constrain which sending address(es) can
+ legitimately use this selector. Unfortunately, the treatment of
+ an empty field ("g=;") is different. DKIM allows wildcards where
+ DK does not. For DK, an empty field is the same as a missing
+ value, and is treated as allowing any sending address. For DKIM,
+ an empty field only matches an empty local part. In DKIM, both a
+ missing value and "g=*;" mean to allow any sending address.
+
+ Also, in DomainKeys, the "g" field is required to match the
+ address in "From:"/"Sender:", while in DKIM, it is required to
+ match i=. This might or might not affect transition.
+
+ If your DK DNS key record has an empty "g" field in it ("g=;"),
+ your best course of action is to modify the record to remove the
+ empty field. In that way, the DK semantics will remain the same,
+ and the DKIM semantics will match.
+
+
+
+
+
+Hansen, et al. Informational [Page 45]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ If your DNS key record does not have an empty "g" field in it
+ ("g=;"), it's probable that the record can be left alone. But the
+ best course of action would still be to make sure that it has a
+ "v" field. When the decision is made to stop supporting
+ DomainKeys and to only support DKIM, it is important to verify
+ that the "g" field is compatible with DKIM, and typically having
+ "v=DKIM1;" in it. It is strongly encouraged that if use of an
+ empty "g" field in the DKIM selector, include the "v" field.
+
+A.1.1.2. Removing DomainKeys Signatures
+
+ The principal use of DomainKeys is at boundary MTAs. Because no
+ operational transition is ever instantaneous, it is advisable to
+ continue performing DomainKeys signing until it is determined that
+ DomainKeys receive-side support is no longer used, or is sufficiently
+ reduced. That is, a signer needs to add a DKIM signature to a
+ message that also has a DomainKeys signature and keep it there until
+ they decide it is deemed no longer useful. The signer can do its
+ transitions in a straightforward manner, or more gradually. Note
+ that because digital signatures are not free, there is a cost to
+ performing both signing algorithms, so signing with both algorithms
+ ought not be needlessly prolonged.
+
+ The tricky part is deciding when DK signatures are no longer
+ necessary. The real questions are: how many DomainKeys verifiers are
+ there that do *not* also do DKIM verification, which of those are
+ important, and how can you track their usage? Most of the early
+ adopters of DK verification have added DKIM verification, but not all
+ yet. If a verifier finds a message with both DK and DKIM, it can
+ choose to verify both signatures, or just one or the other.
+
+ Many DNS services offer tracking statistics so it can be determined
+ how often a DNS record has been accessed. By using separate DNS
+ selector key records for your signatures, you can chart the use of
+ your records over time, and watch the trends. An additional
+ distinguishing factor to track would take into account the verifiers
+ that verify both the DK and DKIM signatures, and discount those from
+ counts of DK selector usage. When the number for DK selector access
+ reaches a low-enough level, that's the time to consider discontinuing
+ signing with DK.
+
+ Note, this level of rigor is not required. It is perfectly
+ reasonable for a DK signer to decide to follow the "flash cut"
+ scenario described above.
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 46]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+A.1.2. Verifiers
+
+ As a verifier, several issues need to be considered:
+
+A.1.2.1. Ought DK signature verification be performed?
+
+ At the time of writing, there is still a significant number of sites
+ that are only producing DK signatures. Over time, it is expected
+ that this number will go to zero, but it might take several years.
+ So it would be prudent for the foreseeable future for a verifier to
+ look for and verify both DKIM and DK signatures.
+
+A.1.2.2. Ought both DK and DKIM signatures be evaluated on a single
+ message?
+
+ For a period of time, there will be sites that sign with both DK and
+ DKIM. A verifier receiving a message that has both types of
+ signatures can verify both signatures, or just one. One disadvantage
+ of verifying both signatures is that signers will have a more
+ difficult time deciding how many verifiers are still using their DK
+ selectors. One transition strategy is to verify the DKIM signature,
+ then only verify the DK signature if the DKIM verification fails.
+
+A.1.2.3. DNS Selector Key Records
+
+ The format of the DNS key record was intentionally meant to be
+ backwardly compatible between DK and DKIM, but not necessarily
+ upwardly compatible. DKIM has enhanced the DK DNS key record format
+ by adding several optional parameters, which DK needs to ignore.
+ However, there is one key difference between DK and DKIM DNS key
+ records. The definitions of the g fields:
+
+ g= granularity of the key: In both DK and DKIM, this is an optional
+ field that is used to constrain which sending address(es) can
+ legitimately use this selector. Unfortunately, the treatment of
+ an empty field ("g=;") is different. For DK, an empty field is
+ the same as a missing value, and is treated as allowing any
+ sending address. For DKIM, an empty field only matches an empty
+ local part.
+
+ v= version of the selector It is advised that a DKIM selector have
+ "v=DKIM1;" at its beginning, but it is not required.
+
+ If a DKIM verifier finds a selector record that has an empty "g"
+ field ("g=;") and it does not have a "v" field ("v=DKIM1;") at its
+ beginning, it is faced with deciding if this record was:
+
+
+
+
+
+Hansen, et al. Informational [Page 47]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ 1. from a DK signer that transitioned to supporting DKIM but forgot
+ to remove the "g" field (so that it could be used by both DK and
+ DKIM verifiers); or
+
+ 2. from a DKIM signer that truly meant to use the empty "g" field
+ but forgot to put in the "v" field. It is advised that you treat
+ such records using the first interpretation, and treat such
+ records as if the signer did not have a "g" field in the record.
+
+A.2. Migrating Hash Algorithms
+
+ [RFC4871] defines the use of two hash algorithms: SHA-1 and SHA-256.
+ The security of all hash algorithms is constantly under attack, and
+ SHA-1 has already shown weaknesses as of this writing. Migrating
+ from SHA-1 to SHA-256 is not an issue, because all verifiers are
+ already required to support SHA-256. But when it becomes necessary
+ to replace SHA-256 with a more secure algorithm, there will be a
+ migratory period. In the following, "NEWHASH" is used to represent a
+ new hash algorithm. Section 4.1 of [RFC4871] briefly discusses this
+ scenario.
+
+A.2.1. Signers
+
+ As with migrating from DK to DKIM, migrating hash algorithms is
+ dependent on the signer's best guess as to the utility of continuing
+ to sign with the older algorithms and the expected support for the
+ newer algorithm by verifiers. The utility of continuing to sign with
+ the older algorithms is also based on how broken the existing hash
+ algorithms are considered and how important that is to the signers.
+
+ One strategy is to wait until it's determined that there is a large
+ enough base of verifiers available that support NEWHASH, and then
+ flash cut to the new algorithm.
+
+ Another strategy is to sign with both the old and new hash algorithms
+ for a period of time. This is particularly useful for testing the
+ new code to support the new hash algorithm, as verifiers will
+ continue to accept the signature for the older hash algorithm and
+ ought to ignore any signature that fails because the code is slightly
+ wrong. Once the signer has determined that the new code is correct
+ AND it's determined that there is a large enough base of verifiers
+ available that support NEWHASH, the signer can flash cut to the new
+ algorithm.
+
+ One advantage migrating hash algorithms has is that the selector can
+ be completely compatible for all hash algorithms. The key selector
+ has an optional "h=" field that can be used to list the hash
+ algorithms being used; it also is used to limit the algorithms that a
+
+
+
+Hansen, et al. Informational [Page 48]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+ verifier will accept. If the signer is not currently using the key
+ selector "h=" field, no change is required. If the signer is
+ currently using the key selector "h=" field, NEWHASH will need to be
+ added to the list, as in "h=sha256:NEWHASH;". (When the signer is no
+ longer using SHA-256, it can be removed from the "h=" list.)
+
+A.2.2. Verifiers
+
+ When a new hash algorithm becomes standardized, it is best for a
+ verifier to start supporting it as quickly as possible.
+
+A.3. Migrating Signing Algorithms
+
+ [RFC4871] defines the use of the RSA signing algorithm. Similar to
+ hashes, signing algorithms are constantly under attack, and when it
+ becomes necessary to replace RSA with a newer signing algorithm,
+ there will be a migratory period. In the following, "NEWALG" is used
+ to represent a new signing algorithm.
+
+A.3.1. Signers
+
+ As with the other migration issues discussed above, migrating signing
+ algorithms is dependent on the signer's best guess as to the utility
+ of continuing to sign with the older algorithms and the expected
+ support for the newer algorithm by verifiers. The utility of
+ continuing to sign with the older algorithms is also based on how
+ broken the existing signing algorithms are considered and how
+ important that is to the signers.
+
+ As before, the two basic strategies are to 1) wait until there is
+ sufficient base of verifiers available that support NEWALG and then
+ do a flash cut to NEWALG, and 2) use a phased approach by signing
+ with both the old and new algorithms before removing support for the
+ old algorithm.
+
+ It is unlikely that a new algorithm would be able to use the same
+ public key as "rsa", so using the same selector DNS record for both
+ algorithms' keys is ruled out. Therefore, in order to use the new
+ algorithm, a new DNS selector record would need to be deployed in
+ parallel with the existing DNS selector record for the existing
+ algorithm. The new DNS selector record would specify a different
+ "k=" value to reflect the use of NEWALG.
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 49]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+A.3.2. Verifiers
+
+ When a new hash algorithm becomes standardized, it is best for a
+ verifier to start supporting it as quickly as possible.
+
+Appendix B. General Coding Criteria for Cryptographic Applications
+
+ NOTE: This section could possibly be changed into a reference to
+ something else, such as another RFC.
+
+ Correct implementation of a cryptographic algorithm is a necessary
+ but not a sufficient condition for the coding of cryptographic
+ applications. Coding of cryptographic libraries requires close
+ attention to security considerations that are unique to cryptographic
+ applications.
+
+ In addition to the usual security coding considerations, such as
+ avoiding buffer or integer overflow and underflow, implementers need
+ to pay close attention to management of cryptographic private keys
+ and session keys, ensuring that these are correctly initialized and
+ disposed of.
+
+ Operating system mechanisms that permit the confidentiality of
+ private keys to be protected against other processes ought to be used
+ when available. In particular, great care needs to be taken when
+ releasing memory pages to the operating system to ensure that private
+ key information is not disclosed to other processes.
+
+ Certain implementations of public key algorithms such as RSA can be
+ vulnerable to a timing analysis attack.
+
+ Support for cryptographic hardware providing key management
+ capabilities is strongly encouraged. In addition to offering
+ performance benefits, many cryptographic hardware devices provide
+ robust and verifiable management of private keys.
+
+ Fortunately, appropriately designed and coded cryptographic libraries
+ are available for most operating system platforms under license terms
+ compatible with commercial, open source and free software license
+ terms. Use of standard cryptographic libraries is strongly
+ encouraged. These have been extensively tested, reduce development
+ time and support a wide range of cryptographic hardware.
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 50]
+
+RFC 5863 DKIM Development/Deployment/Operations May 2010
+
+
+Authors' Addresses
+
+ Tony Hansen
+ AT&T Laboratories
+ 200 Laurel Ave. South
+ Middletown, NJ 07748
+ USA
+
+ EMail: tony+dkimov@maillennium.att.com
+
+
+ Ellen Siegel
+ Consultant
+
+ EMail: dkim@esiegel.net
+
+
+ Phillip Hallam-Baker
+ Default Deny Security, Inc.
+
+ EMail: phillip@hallambaker.com
+
+
+ Dave Crocker
+ Brandenburg InternetWorking
+ 675 Spruce Dr.
+ Sunnyvale, CA 94086
+ USA
+
+ EMail: dcrocker@bbiw.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hansen, et al. Informational [Page 51]
+