The short answer is that DKIM (DomainKeys Identified Mail) uses an asymmetric cryptographic system. This is a crucial design choice that allows it to function as a scalable and secure email authentication standard.
The entire system is built on the concept of a key pair, a private key that is kept secret by the sender and a public key that is openly shared. This one-way relationship is what allows receiving mail servers to verify an email's authenticity without needing any secret information from the sender.
What is asymmetric cryptography?
Asymmetric cryptography, also known as public-key cryptography, uses a pair of mathematically related keys to encrypt and decrypt data. These two keys are:
- A public key: This key is shared openly. Anyone can use it to encrypt data or, in the case of DKIM, verify a digital signature.
- A private key: This key is kept secret and secure by the owner. It's used to decrypt data that was encrypted with the public key or, for DKIM, to create a digital signature.
The core principle is that a message encrypted with the public key can only be decrypted by the corresponding private key. This one-way function is essential for secure communication. In contrast, symmetric encryption uses just a single key for both encryption and decryption. As The SSL Store points out, symmetric encryption is simpler, but asymmetric encryption involves "two separate keys that are related yet still unique."
How DKIM uses asymmetric keys
DKIM applies this asymmetric model to create a verifiable digital signature for emails. The process works in two stages: signing by the sender and verification by the receiver.
Signing an email
When you send an email from a DKIM-enabled domain, your mail server uses its private key to create a unique signature. It does this by taking specific parts of the email, like the 'From' header, subject, and body content, and creating a hash, which is a fixed-length string of characters. This hash is then encrypted with the private key. This encrypted hash is the DKIM signature, which gets added to the email's headers.
Verifying an email
When a receiving mail server gets the email, it sees the DKIM signature. To verify it, the server looks up the sender's domain in the DNS to find the public key. It then performs two calculations: first, it independently calculates its own hash of the email content. Second, it uses the public key to decrypt the DKIM signature attached to the email, which reveals the original hash created by the sender. If the two hashes match, the server knows the email is authentic and hasn't been altered in transit.
Why not use symmetric encryption?
Using symmetric encryption for a global, open system like email would be a logistical nightmare. For symmetric encryption to work, both the sender and the receiver must have the same secret key. This would mean that a sender like Google would need to securely share a unique secret key with every other mail server on the internet they want to send email to. This is simply not scalable or secure.
Asymmetric encryption elegantly solves this problem. The sender's private key never has to be shared. The public key can be published for all to see in the DNS without any security risk. This public-private key infrastructure is what enables DKIM to verify senders across the entire internet effectively.
In conclusion, DKIM's reliance on asymmetric cryptography is fundamental to its success. It provides a robust and scalable method for verifying sender authenticity and protecting message integrity, which are cornerstones of modern email security.
