Re: [mailop] What is the main objective of DKIM? Preventing From: Header spoofing?

Thu, 15 May 2025 09:51:35 -0700 

On 2025-05-15 at 04:39:44 UTC-0400 (Thu, 15 May 2025 10:39:44 +0200)
Benoit Panizzon via mailop <benoit.paniz...@imp.ch>
is rumored to have said:


Hi Gang

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

Quote:

"DomainKeys Identified Mail (DKIM) is an email authentication method
designed to detect forged sender addresses in email (email spoofing), a 
technique often used in phishing and email spam."

A couple of days ago, I observed an email which looked like:

evelope-sender: nore...@scamdomain.tld

Valid SPF Entry published for the sending IP in scamdomain.tld

From: "Support" <supp...@victimdomain.tld>
To: "Joe Victim" <j.vic...@victimdomain.tld>
Subject: Please log in to to our fake login site!
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scamdomain.tld; 
 s=default;h=From:Subject:.... etc...

default._domainkey.scamdomain.tld published a valid public key.

SPF => Valid!
DKIM => Valid!

How is DKIM supposed to prevent spoofing of the From: header if the
attacker is able to supply the DNS entry in which to look up the public 
key used to sign the From: Header?
If the sender can (legitimately) set arbitrary DNS entries in a domain, it is hard for me to see how it is "spoofing" anything to do so.
A DKIM signature or an SPF-validated envelope sender may or may not align with the From header. This is why DMARC exists. 


DMARC Policy?
In principle, yes. A message without a valid DKIM signature *OR* SPF validation of the envelope sender, *in a domain that aligns to the From header* should be rejected if there is a p=reject policy, quarantined if there's a p=quarantine policy. If there is no DMARC policy or p=none for the From header domain, an aligned signature authenticates the From ONLY if the domains align.
In practice, this is so widely misunderstood that it is *never* really safe to treat the non-existence of a DKIM signature with the correct domain to be a positive indication of spoofing. 



--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) 
 Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to