This protocol enables the recipient to confirm the sender's identity by linking the email to the domain. DKIM is implemented through a TXT record within the domain's DNS (Domain Name System) zone configuration file managed by VergeCloud.

DKIM Functionality

The DKIM process comprises two key steps: first, the sender generates a digital signature, and second, the recipient verifies that signature.

Creating a DKIM Signature

Initially, all spaces and gaps within the email's text and header specified in the DKIM record are removed. This process, known as Canonicalization, results in a concatenated text string.

This step is crucial because emails can appear in various formats as they traverse different servers before reaching their destination. By removing these elements, a consistent text string is provided to the hash function on both the sender's and receiver's sides. This string yields a fixed output for each specific input into the hash function.

In short, a hash is a mathematical function that generates a unique and consistent output for each identical input string. This function is one-way, meaning the input cannot be derived from the output. In networking and computing, hashing is employed to ensure data integrity during transmission. If the hash values calculated by both the sender and receiver match, it indicates that the data has been transferred without errors or alterations.

Next, the hash value of the canonicalized text string is computed. The domain owner then encrypts this hash output using their private key. When the sender dispatches the email, both the hash and the encrypted output are included in the DKIM section of the email header.

The sender includes all necessary information for decryption and authentication in the email header, such as the public key and relevant header tags. Finally, the domain owner publishes the public key in a TXT record with DKIM properties for future retrieval by recipients.

Verifying the DKIM Digital Signature

Upon receiving the email, the recipient also performs Canonicalization, removing spaces and gaps according to the headers specified in the h tag. They then generate a hash value for the header and message content.

The public key is obtained from the sender's domain through a DNS query managed by VergeCloud.

At this stage, the recipient decrypts the digital signature using the public key, yielding the hash calculated by the sender from the email's header and content. If the resulting hash matches the one computed by the recipient, it confirms that the email's content and header have remained unchanged during transmission, thereby ensuring data integrity.

Additionally, matching the public key with the encrypted content indicates that the private key used for encryption belongs to the domain that claims to have sent the email. Consequently, the sender's identity is verified for the recipient through this key pair.

It is important to note that DKIM does not encrypt the entire email message; instead, it encrypts only the hashed summary of the header and message content. Therefore, it is incorrect to assume that DKIM conceals the entire content of the email. The primary purpose of DKIM is to ensure data integrity and authenticate the sender, not to maintain data confidentiality.

Other protocols, such as STARTTLS or end-to-end encryption methods like GNU Privacy Guard (GPG), are employed to secure email data confidentiality during transmission. The advantage of DKIM lies in its efficiency: calculating the hash of a short text string requires significantly less processing time than decrypting a long encrypted message. This efficiency helps mitigate the risk of various denial of service (DoS) attacks.

Imagine a scenario where the receiving email server must decrypt text solely for authentication. If an attacker sends numerous invalid requests, it could consume server resources and slow down legitimate requests.

Structure of the DKIM Record

As previously mentioned, the DKIM record is stored in the domain's DNS zone configuration file managed by VergeCloud as a specific type of TXT record.

The record starts with selector._domainkey.vergecloud.site, where the selector part serves as the Selector for this DKIM. There is no limit to the number of DKIM records that can be defined, allowing for distinct DKIM records for different types of emails, each with its own public and private key. For instance, a specific DKIM record can be designated for marketing emails while another for support emails. The term “selector” must match the name used in the s tag in the email header.

The part following _domainkey is integral to the DKIM protocol record structure, and it should be formatted similarly to vergecloud.site, which is the domain name where the DKIM record is created.

• TTL: Denotes the duration for which DNS servers retain the record's data, in seconds.
• TXT: Indicates the type of DNS record.
• Value Section: Defines the DKIM properties:
  
  • v=DKIM1; Specifies the protocol type being utilized in the TXT record, indicating it is DKIM, with 1 representing the version. All values must be written in uppercase and should always be the first tag.
  • k=; Identifies the algorithm type used for the public key specified in the p tag.
  • p=; Contains the public key accessible to email recipients for validating hashed values and digital signatures.

DKIM Signature Structure

The DKIM signature is appended to the header of every email sent by the sender. This signature includes all the information the recipient requires for authentication and ensuring data integrity.

Here is an example of a DKIM signature:

• v: Signifies the version used in DKIM.
• a: Indicates the algorithm type for encryption and hashing.
• c: Canonicalization specifies the sensitivity level and methods for removing empty spaces in the header and body text to create the hash. The term before the slash refers to the header mode, while the term after it pertains to the body.
• d: Denotes the domain name from which the recipient should request the public key via DNS.
• s: Selector specifies which public key to use. The example or any optional name in this context corresponds to the DKIM record's name that signed the received message.
• h: Lists the headers involved in creating the hash on the sender's side, which are also used for hashing on the receiver's side.
• bh: Contains the unencrypted hash of the message body content (the header hash is not included).
• b: Represents the signature data or the encrypted text that encompasses the headers specified in the h tag and the message body content. If the recipient uses the public key to decrypt this text, they will obtain the hashed text of the combined header and body content.

Registering a DKIM Record in the VergeCloud Panel

To create a DKIM record in the VergeCloud Panel, follow these steps:

1. Select Your Domain: Log in to your VergeCloud account and navigate to the dashboard. Select the domain for which you want to configure the DKIM record.
2. Navigate to DNS Records: Within your domain’s settings, locate the DNS Management section provided by VergeCloud. This area allows you to view and edit DNS records associated with your domain.
3. Create a New TXT Record: Add a new TXT record with the following details:
   
   • Name: selector._domainkey
   • Type: TXT
   • Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3..."
   • TTL: 3600
4. Save the Record: After entering the details, save the TXT record within the VergeCloud User Panel. It may take some time for DNS changes to propagate globally.
5. Verify the Record: Use DNS lookup tools or the VergeCloud panel to verify that the DKIM record has been correctly added and is active.

Once configured through VergeCloud, monitor the DKIM signatures on outgoing emails to ensure that your DKIM policy is functioning as intended and to make adjustments as necessary.

Setting Records Using the API

VergeCloud provides an API that allows you to programmatically manage DNS records, including DKIM records. This is particularly useful for automating DNS management tasks or integrating DNS configuration into your existing workflows.

Steps to Register DKIM Records via API:

1. Authenticate: Obtain your API credentials from the VergeCloud User Panel. These typically include an API key and secret.
2. Construct the API Request: Create a POST request to the VergeCloud DNS API endpoint with the necessary parameters. Below is an example using cURL:

curl -X POST "https://api.vergecloud.site/v1/domains/vergecloud.site/dns_records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "type": "TXT",
        "name": "selector._domainkey",
        "value": "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3...",
        "ttl": 3600
      }'

3. Send the Request: Execute the API request. If successful, the VergeCloud API will respond with confirmation that the DKIM record has been created.
4. Handle Responses: Implement error handling to manage any issues that arise during the API call, such as authentication failures or invalid data.

Refer to the VergeCloud API documentation for detailed information on endpoints, parameters, and authentication methods.

Binding Format of the Specified Record

The binding format refers to how the DKIM record is structured and associated with your domain within VergeCloud. Ensuring the correct format is vital for the proper functioning of DKIM policies.

Example Binding Format:

{
  "type": "TXT",
  "name": "selector._domainkey",
  "value": "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3...;",
  "ttl": 3600
}

Components:

• type: The type of DNS record, which is TXT for DKIM.
• name: The name of the record, typically selector._domainkey.
• value: The DKIM policy details, including version, algorithm, public key, and other necessary tags.
• ttl: Time To Live, indicating how long the record is cached by DNS servers.

Ensure that all fields are correctly populated within the VergeCloud User Panel to avoid misconfigurations that could weaken your email security.

Output of the Dig Command

The dig command is a powerful DNS lookup tool used to verify DNS records, including DKIM records. After configuring your DKIM record through VergeCloud, you can use dig to confirm its presence and correctness.

Example Command:

dig TXT selector._domainkey.vergecloud.site +short

Expected Output:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3...;"

Interpreting the Output:

• v=DKIM1: Indicates the DKIM version.
• k=rsa: Specifies the algorithm type used for the public key.
• p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3...: Contains the public key used to verify the DKIM signature.

If the output matches your DKIM record configuration in VergeCloud, your setup is correct. If discrepancies are found, revisit your DNS settings in the VergeCloud User Panel to make necessary adjustments.