On Mon, Jul 21, 2025 at 09:10:08AM -0400, rhkra...@gmail.com wrote: > Is it reasonably accurate (at a simple level) to say that dkim involves > applying a digital signature to an email by the domain (as opposed to a > digital signature applied by the user / sender of an email)? > > And that the domain uses the private key of a public / private keypair?
Roughly, yes. It is applied to a (variable, but specified) subset
of the headers and the mail's body. Which ones are is specified in
the DKIM-Signature header.
> E.g., if <user>@<domain>.com sends an email, <domain>.com applies a digital
> signature to it?
>
> And then, in the DNS system entry for <domain>.com, among other things, the
> public key is stored?
Strictly speaking, somewhere *beneath* <domain>.com, specifically at
<selector>._domainkey.<domain>.com. The value of <selector> is also stated
in the DKIM-Signature header.
Your very mail has (I abbreviated a bit):
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1753103411; x=1753708211;
darn=lists.debian.org;
h=message-id:content-transfer-encoding:mime-version:user-agent:date
:subject:to:from:from:to:cc:subject:date:message-id:reply-to;
[...]
...so the selector would be 20230601, and you can query the public key
(among other things) with:
dig 20230601._domainkey.gmail.com TXT
The "h=..." specifies which bits and bobs from your message go into
the fingerprint.
The Wikipedia [1] has, as usually, a very good explanation.
Cheers
[1] https://en.wikipedia.org/wiki/DKIM
--
tomás
signature.asc
Description: PGP signature
