Thanks for your insight.
The value of DKIM validation at any point is dubious, given that
anyone can DKIM-sign their messages for the cost of a domain and
some DNS and MTA config clues.
Sorry I am not sure to understand / agree on this one. I personally
find value in being able to verify that the mail I am getting from
domain "x" is not spoofed.
That's really only true if you know the value of mail which is
actually from domain "x".
Not sure to understand that one ? Care to elaborate ?
One use case I actually have: I get a message from my law firm -
obviously it might (and is) usually cryptographically (s/mime) signed
but it would be interesting to be able to check that the server which
sent it did in fact DKIM sign it.
In security terms, DKIM is pure authentication without any intrinsic
authorization value. If you don't add your own careful authorization
layer, you're at risk of being fooled by domains like 'paypa1.com.'
There is also the more arcane (but real) problem of DKIM replay
attacks, (explained in depth by Steve Atkins:
https://wordtothewise.com/2014/05/dkim-replay-attacks/) which makes
the authentication less meaningful than one would hope.
That's an interesting point - thanks for the pointer.
And it would be nice, if not ideal, to be able to do so client side
(i.e., in MailMate). Do you have any specifics to substantiate "DKIM
validation after final delivery and IMAP retrieval is potentially
problematic" ? I'd be interested to learn about it.
DKIM relies on DNS records which are ephemeral by their nature. One
mitigation of DKIM replay attacks is the use of short-lived domain
keys, so the signature might have been valid when transported via SMTP
but not 5 minutes later when you try to validate it. There are also
some local delivery mechanisms that make modifications to message
headers or bodies that will invalidate the signature.
Some food for thought here indeed - but all that assumes that one is
actually able to check the sig in the first place...
A. Takacs
_______________________________________________
mailmate mailing list
[email protected]
https://lists.freron.com/listinfo/mailmate
