On 5/3/19 6:26 PM, Grant Taylor wrote: > On 5/3/19 5:10 PM, Kevin A. McGrail wrote: >> I guess if you lose control of your keys and/or your DNS is >> compromised, then yes, you have a DKIM issue. > > This brings up a non-repudiation issue introduced by DKIM. >
This is similar to saying not to use HTTPS because there's a possibility that the web server's certificate private keys and DNS might be compromised so I am safer with plain HTTP. If the DKIM signature aligns with the From: header domain and is valid, DKIM_VALID_AU means you know the source of the email and that is was not modified. If the DKIM signature is any other domain, then it doesn't mean much from a spam/ham perspecitive which is why DKIM_VALID has a tiny default value. > How can you successfully refute a DKIM-Signature if someone has your > signing keys. > DKIM is only one of dozens of tools in the spam-fighting tool bag. I use it in very specific cases when DKIM_VALID_AU rules hit or I use it in meta rules so that other conditions have to also be true. > My quick skim of parts of RFC 6376 makes me think that it is dangerous > and discouraged to associate authentication based on DKIM-Signature, > even when the d= SDID (?) matches the From: header. > I have been using SPF, DKIM, and DMARC for years now in specific meta rules based on patterns noticed in the mail flow through smtp.ena.net and it has worked pretty well. 1. Carefully whitelist_auth primary domains with user/human mailboxes since they can be compromised. Some cases are worth the risk for difficult partners like legal, HR, financial, etc. with content that looks spammy and can hit high Bayes scores. 2. Whitelist_auth subdomains of primary domains are usually safe for systems-generated emails and mailing lists (whitelist_auth *.apache.org) > Yet even more reason to reread RFC 6376 before replying to Bill's email. > > Presently I'm comfortable in thinking that DKIM-Signature validation > meaning that the message has not changed in transit. I'm not (yet) > comfortable drawing any conclusions about authentication. > Analyze your email based on DKIM_VALID_AU hits and look for patterns. Based on your definition of spam vs UCE vs ham. If there is enough volume, you should see how DKIM_VALID_AU and DMARC can enhance/extend SPF accuracy which was your original question. -- David Jones