Shulou(Shulou.com)05/31 Report--

What is the principle and usage of DKIM Selector? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

What is DKIM selector?

DKIM selector, also known as DKIM selector or DKIM selector, is a string used by the mail sending server to determine the private key to sign the message. On the mail receiving server, it is used to obtain the public key in DNS to verify the integrity of the message.

Each time a private / public key pair is created, a {selector, private key, public key} tuple is generated, where selector is used to obtain private and public keys.

How to choose DKIM selector?

When a user creates a private / public key pair for a mail delivery service, such as SendGrid, you need to specify a DKIM selector, which can be any string.

Why do I need multiple DKIM selectors?

Multiple private / public key pairs are required for the following reasons:

DKIM key rotation, the following will explain

Set up DKIM; for multiple mail delivery services on a single domain name each service can have its own separate selector so that the signature / verification of each service does not interfere with other services.

Every time an email is sent / verified, only a pair of keys are used. At this point, the DKIM selector will come in handy: the DKIM selector is used by the signing server to obtain the private key in the key pair, and the authentication server uses the same DKIM selector to obtain the public key.

How does DKIM selector work in DKIM authentication?

Once the signing server determines the DKIM selector, the server uses it to find the corresponding key and calculate the signature. Once the signature is calculated, the DKIM selector is inserted into the s = tag in the header of the message, and then the message is sent.

For example, suppose the selected selector is S1, and the label is s=s1. Again, the selector can be any string, like thisismyselector1234, as long as it points to a valid private / public key pair.

This is an example of an actual DKIM signature header domain:

DKIM-Signature: vaulted 1; axirsaile sha256 256; cased printed edged; dumbdmarcly.com; h=content-transfer-encoding:content-type:from:mime-version:subject: Xmuri feedbackmuri id Vera to; swatches 1; bh=jCC0oQBCKfJ10bCI3PCG52Zwowyeh2haGJPACkWN9F4=; b=GzLBVZ0M1hMt1Y7hVT+ajaNrswTv+/FFVMrcaixD70hpTJwAmNwZUKJIzLslSC+iWHby 9gm+yfx6Z1qnXIL6qgBPnlZD4zwyK4D3Umd1je82jniuD7RJWYDqJH0zL+EevCDdoVZGmT IlxzZB6v95bws6539z/5qee+Xmu5KYe4Y=

The DKIM selector used for the above DKIM signature is s=s1.

When the message arrives at the receiving server, the server checks the header domain to find the s = tag. If the tag exists, the server extracts the selector from it and looks for the public key in the following location of the DNS:

S1._domainkey.example.com

If the public key is found, the server uses it to check the integrity of the message. If the check passes, the DKIM verification succeeds, otherwise it fails.

DKIM authentication fails if the public key cannot be found.

What is DKIM key rotation?

DKIM has proved to be an effective means of verifying the integrity of messages. But DKIM has its own weaknesses. If the system that holds DKIM's private key is compromised, the security will be greatly compromised. Therefore, to minimize the risk of cracking, DKIM key pairs should be changed on a regular basis. This is called DKIM key rotation (DKIM key rotation).

Each time the key is rotated, a new {selector, private key, public key} tuple will be generated. Then the public key will be published in DNS, and you need to reconfigure the mail sending server to use the new private key. When complete, the server will use the new private key to sign all messages to be sent.

The original key should be kept for another 7 days before it can be safely removed. The reason is that there may be a delay between the sending of the message and the arrival of the receiving server. If there is a temporary error on the receiving server, the delay can be as long as several days. In order for DKIM authentication to pass, the receiving server must be able to find the corresponding public key in the DNS.

You need to manually rotate DKIM keys only when you are running your own mail sending server. If you use services like SendGrid, Office 365, or GSuite to send emails, you don't have to do anything-DKIM key rotation is done automatically.

DKIM selector VS DKIM record

If you set DKIM in an email delivery service like SendGrid, it will create a DKIM record of type CNAME for you. Here is a DKIM record of type CNAME:

S1.domainkey.u5022280.wl431.sendgrid.net

You need to publish similar records in DNS so that the receiving server can access them. Notice the S1 section of the record above: this is DKIM selector, which is used by the receiving server to obtain the public key and then to verify the DKIM signature.

How to use DKIM selector to check DKIM records

If you need to check whether the selector on a domain name has DKIM records, you can use this free DKIM record checker.

Enter the domain name and selector to be checked.

After reading the above, have you mastered the principle and usage of DKIM Selector? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.