1

I'm trying to figure out how DKIM verification works.

My understanding so far has been that the domain inside DKIM-Signature header must match the domain inside From header in case for DKIM check to pass.

  1. I configured the opendkim SigningTable all e-mails from lskdfjlsd.com domain with domain key from different domain:
*@lskdfjlsd.com default._domainkey.unrelateddomain.com
  1. My KeyTable looks like this:
default._domainkey.unrelateddomain.com unrelateddomain.com:default:/etc/opendkim/keys/unrelateddomain.com/default
  1. I send out e-mails with this:
echo "Hello world" | mail -s "Hello" -r noreply@lskdfjlsd.com my-personal-mail@gmail.com
  1. When I check the e-mail inside my-personal-mail@gmail.com I can see the DKIM check passed for the domain unrelateddomain.com - the content of the DKIM header and From field is:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unrelateddomain.com; s=default
From: noreply@lskdfjlsd.com

And this is where my confusion stems from. The DKIM check says PASS for domain unrelateddomain.com but the From header clearly says it's originated from different domain. Based on this the https://mxtoolbox.com/dmarc/dkim/dkim-alignment I'd expect the DKIM check will fail.

I've tried to playing with domains and DKIM check always says PASS no mather if domains match or not.

1 Answers1

1

The domain mentioned in the d= tag of the signature header tells the receiving server where to look for the public key to use, in the selector record. The s= tag tells it the name of the selector. The DKIM RFC does not require the FROM domain to be the same domain as the DKIM signature domain.

In fact, a message can be signed by multiple signatures from multiple domains, and often is. For example, a service like MailGun might add a DKIM signature for their domain, while enabling you to set up an additional DKIM signture for the domain you're sending From.

This is exactly why DMARC has been introduced, to require alignment between domains used in authentication technologies (SPF and DKIM) and the domain used in the FROM header. Because that is the main address shown in the email client facing the user.

Reinto
  • 885
  • 6
  • 9
  • 1
    [RFC 6376: DomainKeys Identified Mail (DKIM) Signatures § 3.11](https://datatracker.ietf.org/doc/html/rfc6376#section-3.11) states, "This document does not require the value of the SDID or AUID to match an identifier in any other message header field." *SDID* and *AUID* are [Signing Domain Identifier](https://datatracker.ietf.org/doc/html/rfc6376#section-2.5) and [Agent or User Identifier](https://datatracker.ietf.org/doc/html/rfc6376#section-2.6). – Clint Pachl Jul 23 '23 at 03:01
  • @ClintPachl Yes, that is essentially what I was trying to say. The signing identity does not need to match any part of other identities in an email message, including the FROM header. DMARC does require this alignment between SDID in the DKIM header and the domain used in the FROM header. – Reinto Jul 27 '23 at 17:50