dkim

I did not understand the DKIM key validation process


I am trying to understand how does the DKIM key validation work. The steps that I am sure that I understood are:

1- The sender will send a message to a reciver through MUA (e.g. gmail) and it will go to the sender mail server (SMTP/MTA server).

2- Sernder mail server already generated public and private keys before this happen.

3- The private key is seved secretly in the sender mail server.

4- The public key is already published in the DNS record in the name server as TXT resource record.

5- Sender mail server will use some hash-algorithm methods to generate hashe value for specific mail header fields for example: (From: To: Subject) which for example will be hashed to: Abcd. They call it a "Key_Signing".

6- Sender mail server will encrypt this signed key using the private key!

*** Now before i continue, how the sender mail server will encrypt this hashed value using the private key?? As per I understand that the private key in asymmetric encryption is for decryption not for encryption!!

7- The receiver mail server (POP3 or IMAP) will receive the message and validate.

8- DKIM key validation done by trying to decrypt the encrypted DKIM key (hashed value).

9- The receiver mail server needs the sender mail server's public key to decrypt the encrypted DKIM key to fetch the DKIM hashed value.

** How the receiver mail server will decrypt the encrypted DKIM key via the sender mail server public key??? Public key is for encryption not for decryption!!.

10- When the receiver mail server decrypt the encrypted DKIM key it will gain the DKIM key which is nothing but the hashe value for some email headers. In my example it is:Abcd.

11- Receiver mail server will use the same hash method to hash the same email headers and if the it get the exactly similar hsh value, it will accept the email and forward it to the receiver inbox folder.

Please guys, correct me if I am wrong and clarify how the public key are used to decrypt the DKIM key and how the private key is used to encrypt it while the asymmetric mantra says:

"Private key is for decryption and public key is for encryption".

I went through many websites and all of them did not clarify this process step by step in very clear details.


Solution

  • To point 6 and 9

    It is correct that in Asymmetric Cryptography, in the task to "encrypt" a message that is intended to be read only by the recipient, the recipient public key is used by the sender to encrypt the message, that message can be decrypted only by the owner of the secret key which is the recipient.

    However, in the Digital signature use-case there is a different situation, here the need is to prove the identity of the sender, Well does the sender have that no one else has? the secret key of the sender.

    So if the sender wants to prove their identity they can show you the secret key, but then it is not secret anymore and others will copy it.

    The sender could encrypt some "known message" with the secret key, for everyone to decrypt with the associated publicly known public key of the sender. Again in this use case, the sender is trying to prove that they have the private key. Now if the recipient decrypts the message with the public key of the sender, and compares the results with the "known message" and it matches that means the sender really owns the secret key.

    You need to understand here that the message that is being encrypted is not secret, so actually all recipients should be able to have it, and to match it with the "decrypted signature" in order to assess wether the sender owns the secret key of the sender address. Once you understands that the DKIM process is clear.

    Keep that in mind while you read resources on Digital Signature and Public-Key Cryptography or Asymmetric Cryptography:

    You can read this about Cryptographic Digital Signature: