Introducing DKIM2: The Future of Email Security

Blog

DKIM is set for an upgrade. DKIM2 promises to enhance email security, addressing the limitations of its predecessor.

by Yunes Tarada

Reading Time: 5 min
Introducing DKIM2: The Future of Email Security
Table Of Contents

Note: DKIM2 is currently under draft in IETF’s document archives, and may be subjected to changes in the future.

DKIM or DomainKeys Identified Mail’s current version was first published in 2011, as an email authentication protocol that helped sign messages with digital signatures to authenticate the sender. DKIM allowed email servers to verify that the message was not tampered with during transmission. DKIM is defined under RFC 6376 as a protocol that “permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.”

In 2024, DKIM may have a brand new look, called DKIM2! DKIM2 is expected to soon replace the old email security mechanism (DKIM) with a new and updated mechanism for enhanced authentication and security.

Key Takeaways

  1. DKIM2 aims to address the operational weaknesses of the current DKIM1 protocol, enhancing email security and authentication.
  2. This updated version will standardize header signing, minimizing loopholes that threat actors can exploit.
  3. DKIM2 will prevent backscatter by directing delivery failure notices to the last server that handled the email.
  4. Improved error handling and simplified bounces will help protect recipient privacy and streamline email management.
  5. By supporting multiple cryptographic algorithms, DKIM2 provides future-proofing against evolving security threats.

The Need for Replacing DKIM 

The nascent mechanism for DKIM – DKIM1 was first outlined in RFC 4871, and published in the year 2007. Since then, over the years, several operational weaknesses have been discovered:

1. Intermediary Modification Issue

In several cases of email forwarding, intermediary servers often take the liberty to modify a legitimate email by appending additional footers or making signature modifications. This makes the original DKIM1 signature unverifiable, leading to unwanted DKIM failures. The concerned emails may be potentially flagged or marked as spam, despite being legitimate. 

2. Reputation Damage via Replay Attacks

In a DKIM replay attack, a threat actor resends an email that was originally authenticated and signed with a DKIM signature, posing it to be a new and authentic message. However, the message might have been altered and may now be potentially harmful. In short, malicious actors can “replay” DKIM-signed emails, harming the reputation of legitimate signers.

3. Lack of Standardized Feedback

There are certain informal feedback mechanisms created by some systems to notify email senders about how well their DKIM-signed emails are performing. These feedback loops help senders know if their messages are being delivered properly or flagged as problematic. However, there are currently no official rules for how these feedback systems should work. This lack of standardization may lead to feedback being sent unnecessarily or being unhelpful.

4. Backscatter Problem

If someone fakes the sender of an email (forges the origin), and the email cannot be delivered, the system often sends a “failure notice”. This notice is termed as a Delivery Status Notification, or DSN. The notice reaches the unsuspecting victim whose domain was forged. This means an innocent person, who had nothing to do with the email, gets a confusing or unwanted notification. This phenomenon is known as backscatter.

Simplify DKIM2 with PowerDMARC!

Start 15-day trial Book a demo

What is DKIM2?

DKIM2 is projected to be the upcoming updated version of DKIM1, aimed at fixing the shortcomings of the previous version such as the vulnerability to replay attacks, problems with mail forwarding, and providing enhanced cryptography for better authentication and subsequent protection. 

DKIM2 is also expected to resolve header signing issues, prevent backscatter, and support multiple cryptographic algorithms for easy migration from an outdated algorithmic version to a new one. 

How Might DKIM2 Be a Boon for Businesses?

DKIM2 may outshine the capabilities of DKIM1 by providing the following key benefits: 

Standardized Header Signing

While DKIM1 sometimes signs headers partially, leaving unsecured loopholes for threat actors to exploit, DKIM2 will standardize which headers should be signed. This will reduce confusion and ensure all important headers are consistently signed and secured. 

Backscatter Prevention

The problem with DKIM1 causing backscatter was explained in the section above. DKIM2 will allow DSN to be sent to the server that last handled the email, avoiding confusion for innocent third parties.

Simplified Error Handling

DKIM2 enhances email security and efficiency by improving how bounces and errors are handled. It ensures that bounce messages follow the correct path, protecting recipient privacy and helping intermediaries, like email service providers and mailing lists, easily track and manage delivery issues. Additionally, DKIM2 enables mailing lists and security gateways to record and reverse changes they make, simplifying verification and spotting tampering attempts.

Addressing DKIM Replay Attacks 

We already know that a valid DKIM-signed e-mail can be resent – that is, “replayed” to many recipients, undetected. DKIM2 may finally fix this problem by introducing timestamps and recipient-specific headers, making it easier to detect and prevent email replay attacks. Moreover, it will recognize duplicated messages as well, tracking who is responsible.

Algorithmic Dexterity

DKIM2 will support a vast range of cryptographic algorithms, like RSA, elliptic curve, and possibly post-quantum. This will ensure flexibility and future-proofing. The positive side of supporting such a diverse range of algorithms is that if a previous one becomes outdated, migration will be easy.

IETF’s documentation explains that on the off chance that during the cryptographic analysis process, one algorithm gets deprecated or fails – the other should pass. To make this possible, DKIM2 developers are taking a phased approach to switch from potentially deprecated algorithms by including more than one signature in a single DKIM2 signature header. Systems supporting the analysis of both DKIM2 signatures will require both to be valid and correct, or else the mail will get rejected.

Minimizing Crypto-Calculations

DKIM2 is projected to simplify and minimize the amount of cryptographic computations required to verify the authenticity of message content during DKIM checks. Major mailbox providers have a large number of DKIM signatures appended to incoming messages. During cryptanalysis, DKIM2 will only check the first DKIM2 signature in case the message has not been altered by any intermediaries, whereas currently, DKIM1 checks all DKIM signatures. This will introduce a more effective and faster process for cryptographic calculations.

Summary

To summarize the key takeaways from IETF’s draft, the DKIM2 protocol is aimed to bypass several drawbacks of the current DKIM1 protocol version, making signature handling simple, secure, and more effective. It is also expected to improve reporting capabilities and standardize feedback loops – helping businesses stay in the know much more than ever before! Hopefully, we will witness the official rollout soon, for businesses to make the most out of their DKIM authentication. 

For assistance regarding DKIM implementation and key management, contact us today!

Latest posts by Yunes Tarada (see all)
Top 10 MxToolbox Alternatives and Competitors8 Security Risks Of Shared Email Accounts