LUCY

User Tools

Site Tools

Trace:
dkim_support

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
dkim_support [2016/05/18 15:18] lucydkim_support [2016/05/18 15:21] – [Setup DKIM in LUCY] lucy
Line 32: Line 32:
  
 **Note**: Lucy sends out DKIM-signed emails with "mail.domainkey_" part built-in and before LUCY 3.2 there is no configuration option to change that. Same for the DKIM header, which is fixed. **Note**: Lucy sends out DKIM-signed emails with "mail.domainkey_" part built-in and before LUCY 3.2 there is no configuration option to change that. Same for the DKIM header, which is fixed.
 +
 +===== DKIM Header Explanation=====
 +
 +Here is an example DKIM signature (recorded as an RFC2822 header field) for the signed message:
 +
 + DKIM-Signature a=rsa-sha1; q=dns;
 + d=example.com;
 + i=user@eng.example.com;
 + s=jun2005.eng; c=relaxed/simple;
 + t=1117574938; x=1118006938;
 + h=from:to:subject:date;
 + b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
 + av+yuU4zGeeruD00lszZVoG4ZHRNiYzR 
 +
 +Let's take this piece by piece to see what it means. Each "tag" is associated with a value.
 +  * b = the actual digital signature of the contents (headers and body) of the mail message
 +  * bh = the body hash
 +  * d = the signing domain
 +  * s = the selector
 +  * v = the version
 +  * a = the signing algorithm
 +  * c = the canonicalization algorithm(s) for header and body
 +  * q = the default query method
 +  * l = the length of the canonicalized part of the body that has been signed
 +  * t = the signature timestamp
 +  * x = the expire time
 +  * h = the list of signed header fields, repeated for fields that occur multiple times
 +
 +We can see from this email that:
 +  * The digital signature is dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR. This signature is matched with the one stored at the sender's domain.
 +  * The body hash is not listed.
 +  * The signing domain is example.com.This is the domain that sent (and signed) the message.
 +  * The selector is jun2005.eng.
 +  * The version is not listed.
 +  * The signing algorithm is rsa-sha1. This is the algorith used to generate the signature.
 +  * The canonicalization algorithm(s) for header and body are relaxed/simple.
 +  * The default query method is DNS. This is the method used to look up the key on the signing domain.
 +  * The length of the canonicalized part of the body that has been signed is not listed. The signing domain can generate a key based on the entire body or only some portion of it. That portion would be listed here.
 +  * The signature timestamp is 1117574938. This is when it was signed.
 +  * The expire time is 1118006938. Because an already signed email can be reused to "fake" the signature, signatures are set to expire.
 +  * The list of signed header fields includes from:to:subject:date. This is the list of fields that have been "signed" to verify that they have not been modified.
 +
 +
  
  
  
dkim_support.txt · Last modified: 2019/07/25 12:50 by 127.0.0.1