DKIM in Yandex.Mail for Domains - How Email Security is Developing

    Recently, in Yandex.Mail for domains, letters have digitally signed DKIM DomainKeys Identified Mail.

    DKIM is a technology that authenticates the sender of an email by adding a digital signature associated with a domain name. According to Yandex.Spamooborona statistics, currently already half of the letters arriving at Yandex.Mail's servers contain a valid digital signature. And gradually there are more and more of them - two years ago such letters amounted to 35% of all.

    In Yandex.Mail, a digital signature is used to combat spam and phishing. Before the advent of DKIM, one of the factors by which Spam Defense understood the unwantedness of a message was sender verification using SPF - Sender Policy Frameforkwhich over the course of its existence a lot of working groups managed to work on, including the MARID working group at the IETF .

    In order to determine the authenticity of the letter, DKIM very elegantly uses modern cryptographic achievements. Under the cut - about how DKIM is implemented in Mail for Domains, what disadvantages SPF has and why, despite them, we will continue to use both technologies.

    To generate and verify the DKIM signature, a classical asymmetric cryptographic scheme for verifying electronic digital signatures is used.

    The private part of the domain key is placed on the server and is used to generate a digital signature. In this case, not only the body of the letter itself, but also some headers can be included. The signature itself is also added to the letter as a heading.

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru;
    	s=mail; t=1369929893;
    	bh=1W1A4HZDXIEhbsNkODdvI9WBtkyimVpsrgS/eXcB4yo=;
    	h=From:To:Subject:Date;
    	b=JjGcbyC2qfrH4Fs8IsyvOOoxHt7hc5GYdESJ7RCoiBo899c/pvSXu2sCA30HvHGi/
    x4v06f8bq6vOxDptBQ+8xZkbWoZbQ1EQOH0Q5Ntl9QnwFVUY9E18ZxG2xlTEFqbhNm
    	 aJcsWkHPWIIg+vfHfwmJMFsaSwuEeioBvDUPTbeg=


    The public part of the key is downloaded as a TXT record into the domain’s DNS zone and serves to verify the generated signature. Its result can be used when a decision is made on the fate of the letter: an invalid signature indicates that it was either sent from another domain or was changed during the forwarding process. In any case, this is a warning sign.

    A valid signature allows you to guarantee the correspondence of the sending domain and the domain indicated in the letter, and thus build the reputation of domains on the Internet. In general, the inclusion of DKIM on a domain improves the "deliverability" of emails.



    We tried to make DKIM enable with minimal administrator involvement. For domains delegated to Yandex, DKIM is automatically enabled. For everyone else, just add the corresponding TXT public key record in the DNS zone.

    On the side of Yandex.Mail, when confirming a new domain, a pair of keys is immediately created for it, which is necessary for generating a DKIM signature. If the domain is delegated to the Yandex DNS server, a TXT record containing the public key is automatically created in the zone. If the domain is delegated to other servers, a hint with the text of the entry that needs to be added to the domain zone is displayed in its administrator’s interface.

    The next time that the domain status is checked every hour, the SDA server receives information about the presence of a DKIM record in the zone, or that the existing record from the zone has disappeared. The list of these changes applies to the cluster sending letters together with the private keys. After distribution, new domains begin to be signed with a DKIM signature in the same way as with all Yandex.Mail emails.

    Most modern anti-spam systems work according to reputation criteria and mass criteria. For example, the Yandex Spam Defense-1024 service (a free solution for filtering corporate mail from spam), which stops working from September 1 of this year, uses such criteria. It is quite convenient to have a guarantee that the letter was sent from the specified domain.

    In SPF technology, authentication is also carried out by entering a special record in the DNS zone by the domain administrator, but does not require special headers in the letter itself. If there is an SPF record in the domain, the receiving server can conclude that the source address matches the list of hosts for which mail is allowed for this domain.

    This mechanism has one big drawback: if the Forward message is sent from server to server, SPF verification on the receiving side will fail. In addition, SPF does not allow us to say unambiguously whether a letter was sent from the domain indicated in it. DKIM solves this problem by adding a cryptographic signature to the message body and headers.

    Nevertheless, there may be situations when some good emails from a domain come without a signature at all, that is, focusing on DKIM alone will not work, as well as building a reputation for such domains.

    In the future, probably, in addition to SPF and DKIM, the relatively new DMARC technology , Domain-based Message Authentication, Reporting & Conformance, which combines not only the means of verifying the origin of the message, but also the means of exchanging information about spam between mail systems , will become more widespread . Yandex.Mail has been using DMARC for more than a year as an additional protection for mailboxes against spam and phishing.

    Also popular now: