[MlMt] DKIM validation at client level

Bill Cole mmlist-20120120 at billmail.scconsult.com
Wed Oct 11 12:47:08 EDT 2017


On 6 Oct 2017, at 6:31, Alexandre Takacs wrote:

> On 6 Oct 2017, at 6:00, Bill Cole wrote:
>
>> The value of DKIM validation at any point is dubious, given that 
>> anyone can DKIM-sign their messages for the cost of a domain and some 
>> DNS and MTA config clues.
>
> Sorry I am not sure to understand / agree on this one. I personally 
> find value in being able to verify that the mail I am getting from 
> domain "x" is not spoofed.

That's really only true if you know the value of mail which is actually 
from domain "x".

In security terms, DKIM is pure authentication without any intrinsic 
authorization value. If you don't add your own careful authorization 
layer, you're at risk of being fooled by domains like 'paypa1.com.' 
There is also the more arcane (but real) problem of DKIM replay attacks, 
(explained in depth by Steve Atkins: 
https://wordtothewise.com/2014/05/dkim-replay-attacks/) which makes the 
authentication less meaningful than one would hope.

> And it would be nice, if not ideal, to be able to do so client side 
> (i.e., in MailMate). Do you have any specifics to substantiate "DKIM 
> validation after final delivery and IMAP retrieval is potentially 
> problematic" ? I'd be interested to learn about it.

DKIM relies on DNS records which are ephemeral by their nature. One 
mitigation of DKIM replay attacks is the use of short-lived domain keys, 
so the signature might have been valid when transported via SMTP but not 
5 minutes later when you try to validate it. There are also some local 
delivery mechanisms that make modifications to message headers or bodies 
that will invalidate the signature.


More information about the mailmate mailing list