On 6 Oct 2017, at 6:31, Alexandre Takacs wrote:
On 6 Oct 2017, at 6:00, Bill Cole wrote:
The value of DKIM validation at any point is dubious, given that
anyone can DKIM-sign their messages for the cost of a domain and some
DNS and MTA config clues.
Sorry I am not sure to understand / agree on this one. I personally
find value in being able to verify that the mail I am getting from
domain "x" is not spoofed.
That's really only true if you know the value of mail which is actually
from domain "x".
In security terms, DKIM is pure authentication without any intrinsic
authorization value. If you don't add your own careful authorization
layer, you're at risk of being fooled by domains like 'paypa1.com.'
There is also the more arcane (but real) problem of DKIM replay attacks,
(explained in depth by Steve Atkins:
https://wordtothewise.com/2014/05/dkim-replay-attacks/) which makes the
authentication less meaningful than one would hope.
And it would be nice, if not ideal, to be able to do so client side
(i.e., in MailMate). Do you have any specifics to substantiate "DKIM
validation after final delivery and IMAP retrieval is potentially
problematic" ? I'd be interested to learn about it.
DKIM relies on DNS records which are ephemeral by their nature. One
mitigation of DKIM replay attacks is the use of short-lived domain keys,
so the signature might have been valid when transported via SMTP but not
5 minutes later when you try to validate it. There are also some local
delivery mechanisms that make modifications to message headers or bodies
that will invalidate the signature.
_______________________________________________
mailmate mailing list
[email protected]
https://lists.freron.com/listinfo/mailmate
