Validating email with DKIM

One sometimes needs to know for sure that an email is genuine, i.e. was it sent on the date it claims, with the contents it seems to have. This is generally not possible, since it is very easy indeed to forge email.

For instance, one can send fake email using telnet; there are even youtube videos showing how to do it. One can also fake emails in the past by editing your mail program's mail store to change the received date; the messages then appear as if they were sent on the desired date.

But all is not lost. In 2007, large email providers started using an antispam technique called DKIM, Domain Keys Identified Mail. This is a digital signature attached to each outgoing email; it allows other mail providers -- or you -- to verify that an email (including sender, recipient, date, and body) was signed by the mail provider it says it is from. Although it was originally designed only for use while the email was in transit, you can also use it after the fact to check whether a message has been tampered with.

Here's how to verify that an email has a valid DKIM signature using linux or cygwin:

  1. First, download the original email with its headers. (There are instructions for how to do this for the four most popular web mail programs here.) Save them to a file named, say, email.txt.
  2. Second, download and build libdomainkeys. For instance:
    tar -xzvf libdomainkeys-0.69.tar.gz
    cd libdomainkeys-0.69
    (You'll probably need to add -lresolv to the LIBS= line.)
  3. Third, use libdomainkeys to validate the email:
    ./dktest -v < email.txt
    If the email does not contain a DKIM signature, you will see the message
    DomainKey-Status: no signature
    dktest: DK_STAT_NOSIG: No signature available in message
    which, sadly, means you can't use this technique to validate the email.

    If the email is genuine, you will see the message

    DomainKey-Status: good
    If the email is not genuine, you may see various other messages. For instance, if you edit the message to change the date, you will see
    DomainKey-Status: bad
    dktest: DK_STAT_BADSIG: Signature was available but failed to verify against domain specified key

Last Change 29 Aug 2011
(C) 2011 Dan Kegel

[Return to]