Technical Summary
DKIM [RFC6376] signs e-mail messages, by creating hashes of the message headers and body
and signing the header hash with a digital signature. Message recipients fetch the signature
verification key from the DNS. The defining documents specify a single signing algorithm,
RSA [RFC3447].
This document adds a new stronger signing algorithm, Edwards-Curve Digital Signature Algorithm
using the Curve25519 curve (ed25519), which has much shorter keys than RSA for similar levels
of security. This is important in overcoming the practical limitations in storing long keys in DNS.
Working Group Summary
This document represents the consensus of the DCRUP working group. The need for longer DKIM signing keys
has become more acute as compute power (and therefore the ability to factor short RSA keys) increases.
Initially, two approaches were considered: (1) publication of key fingerprints (hashes), rather than RSA keys
in DNS; (2) use of the ed25519 signing algorithm, which has shorter keys for equivalent cryptographic strength.
Ultimately, approach (1) was discarded because (2) was sufficient to satisfy the goals of the specification.
There was also significant discussion on the format to be used for publishing ed25529 public keys in DNS;
a "raw key" format was adopted (without ASN1/DER wrapping).
Document Quality
The specification has received extensive review from significant members of the email community
and input (such as algorithm selection) from WG technical advisor Eric Rescorla.
Multiple interoperating implementations exist, including dkimpy-milter, exim, NoSpamProxy,
and OpenDKIM.
Personnel
The Document Shepherd for this document is Jim Fenton.
The responsible Area Director is Alexey Melnikov.