On 18/02/2020 09:47, Andrew C Aitchison via mailop wrote:
I thought DKIM was supposed to flag such messages;
do these phishing emails satisfy DKIM ?
DKIM checks that the message matches the DKIM signature - ie that it
hasn't been modified since sending. That's it.
So, for instance, your message has this DKIM signature
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=aitchison.me.uk; s=mythic-beasts-k1; h=Subject:To:From:Date;
bh=c8HNHZV6ldDX0jjiGqekUv0kzjSL24pv2r0BoCkgGgk=; b=bjif8/qAk7FQ1MftQ89Fdbp9ej
SySu0EglcpImChNAvp0fwZBuiuMh4PKtVq4FG66kz7w7yag/eNk72Y7WmmTbecY0uE6gsEagdqBof
eeY7je/ZWixIh8zXaW3UAOe3+ZoSWGczcH0UZ5o+F2SrSeZjkbKZ4AUie2DD/+wH3t6F9FV1JYEmD
RreDzx37oyMn/UDoA9dVqXaA06iMigM2h2JVyOSCTx9Q0yl3z7zVS8diAR1ANOs3kxRR+ce3PfxBo
dHwdGscn19aiWf1V55LGxCXHPCD9K6bH0KTfTr09uT2/7Kb2L2femWwy6nop0MzjicM74v3S9Oxve
00OyLyYg==;
The recipient gets the DKIM public key at
'mythic-beasts-k1._domainkey.aitchison.me.uk' (calculated from the 's'
and 'd' values in the DKIM-Signature line) and checks the message's
signature matches that
If the DKIM signature had a different 'd=..' value, then the public key
could be retrieved from anywhere - it doesn't have to relate to the FROM
header's domain at all.
So, I could send a message with your email address in the From field,
with the DKIM-Signature being
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=pscs.co.uk; s=some-gibberish; h=.....
and it would pass the DKIM check.
DMARC requires the DKIM 'd' domain value (or the SPF Mail-From domain)
to relate to the FROM message header.
So, DMARC is what you need (along with DKIM and SPF, to give DMARC
something to work with)
--
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Sign up for news & updates at http://www.pscs.co.uk/go/subscribe
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
