On 3 May 2019, at 12:30, Grant Taylor wrote: > On 5/3/19 9:48 AM, Bill Cole wrote: >> An entirely different mechanism (DKIM) exists to verify From headers. > > DKIM is only positive confirmation that the (signed) headers (and body > content) has not changed since the signature was applied.
RFC6376:
1. Introduction
DomainKeys Identified Mail (DKIM) permits a person, role, or
organization to claim some responsibility for a message by
associating a domain name [RFC1034] with the message [RFC5322], which
they are authorized to use.
If the signer domain and the From header domain match, a valid DKIM signature
that includes the From header is authentication of the From header to the
limits of DNS trustworthiness and trust in the integrity of the domain's
authority. This is authentication analogous to the authentication of the
envelope sender provided by SPF. Email has an implicit trust that domains have
a unitary executive, so we assume that a signer for a domain is not spoofable.
> DKIM does nothing to verify the authenticity of what was signed (at the time
> it was signed).
Well, I know that the entity in control of DKIM signing for tnetconsulting.net
was willing to claim responsibility for the message to which I am responding
which claims to be from gtay...@tnetconsulting.net which was substantially
unchanged between the signing point and my mail server. If the entity in
control of DKIM signing for tnetconsulting.net is not an authoritative judge of
"authenticity" (whatever that means... ) for mail claiming to be from
gtay...@tnetconsulting.net at the signing point, there is no way for me to
detect that.
If the entity in control of DKIM signing for tnetconsulting.net chooses to sign
mail claiming to be from an address in some other domain, there is no
discernible reason to deem that to be authentication, although it is still
(according to the RFC) a claim of responsibility for that mail by the entity in
control of DKIM signing for tnetconsulting.net.
So as Dave said: DKIM_VALID_AU has authentication value where DKIM_VALID alone
has none unless you have some reason to trust the signer.
> ARC (not DMARC) is a similar signature of what comes in to detect
> modification down stream.
DMARC is not a signature. It is a statement of policy recommendations for how
to assess and handle messages which purport to be from a domain but either fail
SPF checking or DKIM validation *and alignment with From*
ARC is a totally different thing, authenticating chain-of-custody.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
signature.asc
Description: OpenPGP digital signature
