Sender authentication part 27: Public key notation in DNS

Now that we have an overview of how DomainKeys works, we're going to look at how a service using DomainKeys generates a DomainKeys signature.

When a receiving email server gets the message and sees that there is a DomainKeys header, it has to retrieve the key from DNS.  The DomainsKey header is "DomainKey-Signature" in the message headers.  I'm going to borrow much of the phrasing from RFC 4870, the RFC for DomainKeys.

An example key is the following:

brisbane._domainkey IN TXT "g=; k=rsa; p=MHww ... IDAQAB"

Verifiers must support key sizes of 512, 768, 1024, 1536 and 2048 bits. Signers must support at least one of the verifier supported key sizes.

The current valid tags are as follows:

g = granularity of the key. If present with a non-zero length value, this value must exactly match the local part of the sending address. This tag is optional.

The intent of this tag is to constrain which sending address can legitimately use this selector. An email with a sending address that does not match the value of this tag constitutes a failed verification.

k = key type; rsa, the encryption algorithm, is the default. Signers and verifiers must support the 'rsa' key type. This tag is optional.

n = Notes that may be of interest to a human. No interpretation is made by any program. This tag is optional.

p = public key data, encoded as a Base64 string. An empty value means that this public key has been revoked. This tag MUST be present.

t = an optional tag that specifies a set of flags that define boolean attributes. Valid attributes are as follows:

  • y = testing mode. This domain is testing DomainKeys and unverified email must not be treated differently from verified email. Recipient systems may wish to track testing mode results to assist the sender.

Going back to our example, we interpret the key as follows:

brisbane._domainkey IN TXT "g=; k=rsa; p=MHww ... IDAQAB"

The domain for brisbane (more on interpreting this in a future post) uses the rsa encryption algorithm and the public key is MHww...IDAQAB.

It is advised that the "n" be used sparingly since size constraints in DNS should be considered.  In other words, don't be too wordy like a politician who druthers on and on and on (I know a few like that, and I bet you do too).