How does DKIM Work?


Public Key Cryptography uses a pair of keys to perform its magic. One key, the “Private Key”, is kept safe by the email author (The original sending and composing MTA)

If someone had the DKIM’s Private Key for `everycloudtech.com`, then that person could send out email claiming to be from `everycloudtech.com` — this is why organizations employing DKIM to protect their email must be very careful about how the Private Keys are stored and used.

To accompany the Private Key, there is a “Public Key”. The Public Key permits anyone to verify that a signature made with the corresponding Private Key is valid (and the signed contents haven’t been tampered with).

DKIM uses a calculate a crypto signature that covers the relevant parts of the message using the Private Key. 

The signature is then placed in an email header and the message is then sent normally by the mail server. At any point in travel, and possibly at the recipient’s ISP, the signature is validated using the public key. 

If any part of the message covered by the signature was tampered, the signature won’t validate and the recipient will be alerted. to publish the Public Keys, so that any party that wants to validate a signature can easily find the public key.

When an author wishes to send an email to a recipient, they (The original sending and composing MTA) calculates a crypto signature that covers the relevant parts of the message using the Private Key. The signature is then placed in an email header and the message is then sent normally by the composing mail server.

At any point in transit, the signature is validated using the public key, published within the senders domain own DNS to calculate a crypto signature that covers the relevant parts of the message using the Private Key.
If any part of the message covered by the signature was tampered with, the signature (Header Hash/Body Hash) won’t validate and the recipient will be alerted.

Spoofed emails won’t carry a valid signature because spoofers do not posess access to the senders private key, so these are now easy to detect. 

The reasons why EveryCloud cannot implement outbound DKIM to a customers mail is because we are not the originating / composing MTA of a message and therefore cannot encrypt a message with a senders/domain owners private Key and we do not have access to a domain owners DNS settings in order to publish a Public Key.

Ref: http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-domainkeys-identified-mail-effectively