Note: DKIM2 is currently under draft in IETF’s document archives, and may be subjected to changes in the future.
DKIM or DomainKeys Identified Mail’s current version was first published in 2011, as an email authentication protocol that helped sign messages with digital signatures to authenticate the sender. DKIM allowed email servers to verify that the message was not tampered with during transmission. DKIM is defined under RFC 6376 as a protocol that “permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.”
In 2024, DKIM may have a brand new look, called DKIM2! DKIM2 is expected to soon replace the old email security mechanism (DKIM) with a new and updated mechanism for enhanced authentication and security.
The Need for Replacing DKIM
The nascent mechanism for DKIM – DKIM1 was first outlined in RFC 4871, and published in the year 2007. Since then, over the years, several operational weaknesses have been discovered:
1. Intermediary Modification Issue
In several cases of email forwarding, intermediary servers often take the liberty to modify a legitimate email by appending additional footers or making signature modifications. This makes the original DKIM1 signature unverifiable, leading to unwanted DKIM failures. The concerned emails may be potentially flagged or marked as spam, despite being legitimate.
2. Reputation Damage via Replay Attacks
In a DKIM replay attack, a threat actor resends an email that was originally authenticated and signed with a DKIM signature, posing it to be a new and authentic message. However, the message might have been altered and may now be potentially harmful. In short, malicious actors can “replay” DKIM-signed emails, harming the reputation of legitimate signers.
3. Lack of Standardized Feedback
There are certain informal feedback mechanisms created by some systems to notify email senders about how well their DKIM-signed emails are performing. These feedback loops help senders know if their messages are being delivered properly or flagged as problematic. However, there are currently no official rules for how these feedback systems should work. This lack of standardization may lead to feedback being sent unnecessarily or being unhelpful.
4. Backscatter Problem
If someone fakes the sender of an email (forges the origin), and the email cannot be delivered, the system often sends a “failure notice”. This notice is termed as a Delivery Status Notification, or DSN. The notice reaches the unsuspecting victim whose domain was forged. This means an innocent person, who had nothing to do with the email, gets a confusing or unwanted notification. This phenomenon is known as backscatter.
What is DKIM2?
DKIM2 is projected to be the upcoming updated version of DKIM1, aimed at fixing the shortcomings of the previous version such as the vulnerability to replay attacks, problems with mail forwarding, and providing enhanced cryptography for better authentication and subsequent protection.
DKIM2 is also expected to resolve header signing issues, prevent backscatter, and support multiple cryptographic algorithms for easy migration from an outdated algorithmic version to a new one.
How Might DKIM2 Be a Boon for Businesses?
DKIM2 may outshine the capabilities of DKIM1 by providing the following key benefits:
Standardized Header Signing
While DKIM1 sometimes signs headers partially, leaving unsecured loopholes for threat actors to exploit, DKIM2 will standardize which headers should be signed. This will reduce confusion and ensure all important headers are consistently signed and secured.
Backscatter Prevention
The problem with DKIM1 causing backscatter was explained in the section above. DKIM2 will allow DSN to be sent to the server that last handled the email, avoiding confusion for innocent third parties.
Simplified Error Handling
DKIM2 enhances email security and efficiency by improving how bounces and errors are handled. It ensures that bounce messages follow the correct path, protecting recipient privacy and helping intermediaries, like email service providers and mailing lists, easily track and manage delivery issues. Additionally, DKIM2 enables mailing lists and security gateways to record and reverse changes they make, simplifying verification and spotting tampering attempts.
Addressing DKIM Replay Attacks
We already know that a valid DKIM-signed e-mail can be resent – that is, “replayed” to many recipients, undetected. DKIM2 may finally fix this problem by introducing timestamps and recipient-specific headers, making it easier to detect and prevent email replay attacks. Moreover, it will recognize duplicated messages as well, tracking who is responsible.
Algorithmic Dexterity
DKIM2 will support a vast range of cryptographic algorithms, like RSA, elliptic curve, and possibly post-quantum. This will ensure flexibility and future-proofing. The positive side of supporting such a diverse range of algorithms is that if a previous one becomes outdated, migration will be easy.
Reducing Crypto-Calculations
DKIM2 is projected to simplify and minimize the amount of cryptographic computations required to verify the authenticity of message content during DKIM checks while introducing a more effective cryptographic method. This enhances the protection of sensitive organizational data and further minimizes email-based threats.
Simplified DKIM Key Rotation
DKIM2 is also projected to enhance user experience by making DKIM key rotation and management much easier. So in case your previous key gets outdated or an attacker gains access to it, you can quickly rotate your DKIM key, without much hassle.
Summary
To summarize the key takeaways from IETF’s draft, the DKIM2 protocol is aimed to bypass several drawbacks of the current DKIM1 protocol version, making signature handling simple, secure, and more effective. It is also expected to improve reporting capabilities and standardize feedback loops – helping businesses stay in the know much more than ever before! Hopefully, we will witness the official rollout soon, for businesses to make the most out of their DKIM authentication.
For assistance regarding DKIM implementation and key management, contact us today!
- Introducing DKIM2: The Future of Email Security - November 20, 2024
- BreakSPF Attacks: Outsmart the Hackers and Protect Your Email - November 13, 2024
- PowerDMARC Integrates with ConnectWise - October 31, 2024