Deployment and analysis of DKIM with DNSSEC

Abstract: As the email system is widely used as a communication channel, and often is crucial for the performance of organizations, it is important that users can trust the content of what is being delivered to them. A standard called DomainKeys Identified Mail (DKIM) has been developed by the IETF to solve the problem with authentication and integrity, by using digital signatures. This master's thesis goal is to evaluate the solution where an implementation of DKIM is extended with DNSSEC validation. DNSSEC is a solution which secures, among other, the mapping between IP addresses and domain names. The implementation of DKIM is deployed and evaluated with function testing, domain testing, threat analysis, and interoperability testing.DKIM does not need any new public-key infrastructure, thus inflicting less cost on the deployment compared with other cryptographic solutions such as S/MIME and PGP. We recommended to use DKIM together with DNSSEC to secure the transportation of the DKIM public key. The upcoming standard ADSP can inform the recipient of whether a domain is signing its email or not and thereby a possibility to detect any unauthorized signature removal. A further problem is that mailing lists often manipulate the email, thus breaking the signature. We therefore recommend to send email directly to the recipient or active DKIM signing on the mailing lists.