On 5/3/19 11:53 AM, David Jones wrote:
Not completely true as long as domain/DNS control is not compromised.
How is it not completely true?My server can apply a DKIM signature to an outgoing email with a From: header of djo...@ena.com.
Nothing about my server's DKIM signature verifies the contents of the From: header is accurate.
Technically this is correct but the fact that it's signed and matches the author's domain in the From: header provides authenticity of the origin of the email. In SA rules this would be DKIM_VALID_AU hits.
No it does not.First, you have introduced an additional requirement that the signature matches the author's domain. This is not a requirement of DKIM.
Second, it's (hypothetically) possible for me to get an account on the ena.com email server and send email as djones@ with a signature matching the ena.com domain. But such message is decidedly not from you. Ergo, DKIM does nothing to verify the authenticity of what was signed.
For example, Microsoft signs customer emails using the tenant's subdomain under onmicrosoft.com. All this confirms is the email came from the Office 365 platform with the original content unmodified.
It only confirms that the content is unmodified after the DKIM signature is applied. DKIM does nothing for any part of email before the DKIM signature is applied.
Microsoft could modify the message before they apply the signature.
Since it doesn't align with the From: domain, DKIM really means nothing from a forged/spoofed (negative) perspective. DKIM can prove the positive that it was not forged/spoofed when it aligns and hits DKIM_VALID_AU.
See above about signatures matching domains.I really don't think there is any part of the DKIM specification that matters if the signing domain matches the purported sending domain. There are other things that deduce things from that information. But to the best of my knowledge, they are outside of the DKIM specification. Please point to something for me to read if you think I'm wrong.
I am not completely clear on ARC but I though it's objective is to provide a "chain of custody" as email goes through mail servers so receiving mail servers can authenticate the origin. I was thinking it's something like a combination of SPF (validation) and DKIM (authentication).
My understanding is that ARC primarily provides a way for a server to state "This is who I received the message from, with these parameters." Then if down stream servers trust the ARC signer, they can apply their own (SPF) processing using the asserted information from the trusted ARC signer.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
