On 3 May 2019, at 12:30, Grant Taylor wrote: > On 5/3/19 9:48 AM, Bill Cole wrote: >> An entirely different mechanism (DKIM) exists to verify From headers. > > DKIM is only positive confirmation that the (signed) headers (and body > content) has not changed since the signature was applied.
RFC6376: 1. Introduction DomainKeys Identified Mail (DKIM) permits a person, role, or organization to claim some responsibility for a message by associating a domain name [RFC1034] with the message [RFC5322], which they are authorized to use. If the signer domain and the From header domain match, a valid DKIM signature that includes the From header is authentication of the From header to the limits of DNS trustworthiness and trust in the integrity of the domain's authority. This is authentication analogous to the authentication of the envelope sender provided by SPF. Email has an implicit trust that domains have a unitary executive, so we assume that a signer for a domain is not spoofable. > DKIM does nothing to verify the authenticity of what was signed (at the time > it was signed). Well, I know that the entity in control of DKIM signing for tnetconsulting.net was willing to claim responsibility for the message to which I am responding which claims to be from gtay...@tnetconsulting.net which was substantially unchanged between the signing point and my mail server. If the entity in control of DKIM signing for tnetconsulting.net is not an authoritative judge of "authenticity" (whatever that means... ) for mail claiming to be from gtay...@tnetconsulting.net at the signing point, there is no way for me to detect that. If the entity in control of DKIM signing for tnetconsulting.net chooses to sign mail claiming to be from an address in some other domain, there is no discernible reason to deem that to be authentication, although it is still (according to the RFC) a claim of responsibility for that mail by the entity in control of DKIM signing for tnetconsulting.net. So as Dave said: DKIM_VALID_AU has authentication value where DKIM_VALID alone has none unless you have some reason to trust the signer. > ARC (not DMARC) is a similar signature of what comes in to detect > modification down stream. DMARC is not a signature. It is a statement of policy recommendations for how to assess and handle messages which purport to be from a domain but either fail SPF checking or DKIM validation *and alignment with From* ARC is a totally different thing, authenticating chain-of-custody. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
signature.asc
Description: OpenPGP digital signature