In this day and age, leaked emails have become one of the means by which information is released about the machinations of government. ProPublica was recently the recipient of emails that revealed unflattering information about Donald Trump’s personal lawyer Marc Kasowitz, The publication of these emails set in motion a sequence of events in which Kasowitz let loose a tirade against an ordinary citizen. Since then, Kasowitz has become one of the many people who has been cast out through the revolving door that characterizes the Trump administration.
But if a news organization gets a set of emails from a source, how do they go about making sure that the emails are genuine? Jeremy B. Merrill explains how the ProPublica team sets about validating any emails that they receive and how they applied them in the Kasowitz case. These techniques go by the acronyms DKIM (Domain Keys Identified Mail) and ARC (Authenticated Received Chain) that form part of the message headers.
You can use them to authenticate emails that come in over the transom. It takes a tiny bit of command-line work and maybe a little coaxing of your source, but it can offer you a mathematical guarantee that the email you have on your screen is identical to the one that the source received, with no possibility of intermediate tampering.
The obscure header we’re interested in is called the DKIM Signature. It’s kind of like the shipper’s packing list. The DKIM Signature field contains two things: First, a set of instructions for making a summary of the email, mushing up some of the headers and the message itself, and, second, a version of that summary — technically, a “hash” — that’s cryptographically signed by the sending server.
It’s meant to give the receiving server the ability to see if the contents of the email changed in transit, the digital equivalent of detecting whether the mailman steamed open the envelope and modified the contents of a letter. We can put it to good use as journalists by creating our own version of the hash and then decrypting the one made by the sending server. If the hash we create from those instructions matches the decrypted one from the message exactly, we have mathematical proof that our email is the same as the one that was sent/received.
ARC is similar to DKIM, but instead of being used by the sending server, it’s used by intermediaries in the email process, like listservs or servers that receive email. Many emails that arrive into Gmail are signed by Google, but this is a new development — the ARC protocol isn’t even formally approved yet.
I am nowhere close to being an expert on online cryptography and just pass on this information to those who are interested and have the expertise.