How to verify DKIM signature from an e-mail with openssl?

Question

I've set up opendkim for my postfix and now all outgoing mails have DKIM-Signature heading. What I want to do is to verify manually, withoug DNS and external utilities, preferably with openssl only, that messages are getting correct signature. So as input data I have:

• DKIM-Signature header of an e-mail
• DKIM Selector, DKIM Domain
• DKIM Private Key
• DKIM Public signature if form of a record that I need to put to DNS

The question is how to decrypt and/or verify DKIM-Signature with DKIM Public signature using some CLI utility like openssl?

Answer 1

To verify directly from email's source

• Download email, usually an .eml file

• Install python

• pip install dkimpy

• dkimverify < email_file.eml

  Alternatively you can

  • dkimverify
  • paste source
  • Ctrl+D

source

Other methods

• Install thunderbird, configure your account, and install the Add-on Dkim verifier
• If you want to massively verify an mbox archive https://github.com/associatedpress/verify-dkim

Answer 2

It can be done, but it is complicated an utility is best way, but if you insist, here's how to do it.

1. Prepare the headers you need for verification and add the dkim-signature at the end without the actual signature hash.

2. Canonicalize the headers according to the canonicalization algorithm used.

3. If a limit is set for the body, you'l need to cut it then canonicalize it to.

4. Compute the body hash and if it is identical to the one in the dkim signature continue.

5. Use OpenSSL to verify the header hash by providing the following parameters:

   a. Header hash.

   b. Canonicalized headers.

   c. Public key

   d. Hashing algorithm used (SHA1 or SHA256).

I cannot provide you with an example command as I have used PHP's openssl_verify() function to do this.

I would appreciate it if you told me if you already did this and how.