Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)
RFC 4870

 
Document Type RFC - Historic (May 2007; No errata)
Obsoleted by RFC 4871
Was draft-delany-domainkeys-base (individual in sec area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4870 (Historic)
Telechat date
Responsible AD Russ Housley
Send notices to MarkD@yahoo-inc.com
Network Working Group                                          M. Delany
Request for Comments: 4870                                    Yahoo! Inc
Obsoleted By: 4871                                              May 2007
Category: Historic

          Domain-Based Email Authentication Using Public Keys
                   Advertised in the DNS (DomainKeys)

Status of This Memo

   This memo defines a Historic Document for the Internet community.  It
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   "DomainKeys" creates a domain-level authentication framework for
   email by using public key technology and the DNS to prove the
   provenance and contents of an email.

   This document defines a framework for digitally signing email on a
   per-domain basis.  The ultimate goal of this framework is to
   unequivocally prove and protect identity while retaining the
   semantics of Internet email as it is known today.

   Proof and protection of email identity may assist in the global
   control of "spam" and "phishing".

Delany                          Historic                        [Page 1]
RFC 4870                       DomainKeys                       May 2007

Table of Contents

   1. Introduction ....................................................3
      1.1. Lack of Authentication Is Damaging Internet Email ..........3
      1.2. Digitally Signing Email Creates Credible Domain
           Authentication .............................................4
      1.3. Public Keys in the DNS .....................................4
      1.4. Initial Deployment Is Likely at the Border MTA .............5
      1.5. Conveying Verification Results to MUAs .....................5
      1.6. Technical Minutiae Are Not Completely Covered ..............5
      1.7. Motivation .................................................6
      1.8. Benefits of DomainKeys .....................................6
      1.9. Definitions ................................................7
      1.10. Requirements Notation .....................................8
   2. DomainKeys Overview .............................................8
   3. DomainKeys Detailed View ........................................8
      3.1. Determining the Sending Address of an Email ................9
      3.2. Retrieving the Public Key Given the Sending Domain ........10
           3.2.1. Introducing "selectors" ............................10
           3.2.2. Public Key Signing and Verification Algorithm ......11
           3.2.3. Public key Representation in the DNS ...............13
           3.2.4. Key Sizes ..........................................14
      3.3. Storing the Signature in the Email Header .................15
      3.4. Preparation of Email for Transit and Signing ..............17
           3.4.1. Preparation for Transit ............................18
           3.4.2. Canonicalization for Signing .......................18
                  3.4.2.1. The "simple" Canonicalization Algorithm ...19
                  3.4.2.2. The "nofws" Canonicalization Algorithm ....19
      3.5. The Signing Process .......................................20
           3.5.1. Identifying the Sending Domain .....................20
           3.5.2. Determining Whether an Email Should Be Signed ......21
           3.5.3. Selecting a Private Key and Corresponding
                  Selector Information ...............................21
           3.5.4. Calculating the Signature Value ....................21
           3.5.5. Prepending the "DomainKey-Signature:" Header .......21
      3.6. Policy Statement of Sending Domain ........................22
      3.7. The Verification Process ..................................23
           3.7.1. Presumption that Headers Are Not Reordered .........24
           3.7.2. Verification Should Render a Binary Result .........24
           3.7.3. Selecting the Most Appropriate
                  "DomainKey-Signature:" Header ......................24
           3.7.4. Retrieve the Public Key Based on the
                  Signature Information ..............................26
           3.7.5. Verify the Signature ...............................27
           3.7.6. Retrieving Sending Domain Policy ...................27
           3.7.7. Applying Local Policy ..............................27
      3.8. Conveying Verification Results to MUAs ....................27

Delany                          Historic                        [Page 2]
RFC 4870                       DomainKeys                       May 2007

   4. Example of Use .................................................29
Show full document text