/munetakaJupyterHub/Computer/2024/Postfix/SPF-DKIM.md

v=spf1 include:_spf.google.com mx a:h2Jammy.yushei.net a:mail.h2jammy.yushei.net ~all

v=spf1 include:_spf.google.com ~all

v=DKIM1; h=sha256; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA04DhjXmwTr2p2EB6VowA55f3Y33ugO0DwyJeHu5EZT7eNNjfbfQZMcXtHB9e15kQ34YJjZVhv2iOBryaotpx0TWtPzbXekpq/jZdMaopcf/HGbN6A53b5l/AsgvSGG+Gd2bwiF2RGBHL/lEo0JpX/hUvpL5NNtFHaILAWc9w6c1FTS1bqyF3NkqljcGuCBnLpa3p5q3IeoBcVNzM2Qhzm5VuVI7+IZzWp4/rRznG8gqd2jYqkjWI4D7JjdN/JGE/LTtHXm5VVm4Aq9NEptMPGidvoSOdvdCq6s3h1Ix8kp6JqNiIU2Nyo1KgP0uQySMUFu0iewiHGNp2cqj5a7IL5wIDAQAB

v=1; a=rsa-sha256; d=example.com; s=big-email; h=from:to:subject; bh=uMixy0BsCqhbru4fqPZQdeZY5Pq865sNAnOAxNgUS0s=; b=LiIvJeRyqMo0gngiCygwpiKphJjYezb5kXBKCNj8DqRVcCk7obK6OUg4o+EufEbB tRYQfQhgIkx5m70IqA6dP+DBZUcsJyS9C+vm2xRK7qyHi2hUFpYS5pkeiNVoQk/Wk4w ZG4tu/g+OA49mS7VX+64FXr79MPwOMRRmJ3lNwJU=

v= shows which version of DKIM is in use.
d= is the domain name of the sender.
s= is the selector that the receiving server should use to look up the DNS record.
h= lists the header fields that are used to create the digital signature, or b. In this case, the from, to, and subject headers are used. If Bob sent an email to Alice using the example.com domain and the subject line was "Recipe for cheesecake," the content used here would be "bob@example.com" + "alice@example.com" + "Recipe for cheesecake". (This content would also be canonicalized — put into a standardized format.)
bh= is the hash of the email body. A hash is the result of a specialized mathematical function called a hash function. This is included so that the receiving email server can compute the signature before the entire email body loads, since email bodies can be any length and loading it may take a long time in some cases.
a= is the algorithm used to compute the digital signature, or b, as well as generate the hash of the email body, or bh. In this example, RSA-SHA-256 is in use (RSA using SHA-256 as the hash function for the digital signature, and SHA-256 for the body hash).
b= is the digital signature, generated from h and bh and signed with the private key.

The digital signature (b=) allows the receiving server to 1. authenticate the sending server and 2. ensure integrity — that the email has not been tampered with.

The receiving server does this by taking the same content that is listed in h= plus the body hash (bh=) and using the public key from the DKIM record to check if the digital signature is valid. If the correct private key was used and if the content (headers and body) has not been altered, the email passes the DKIM check.