[MlMt] DKIM validation at client level

Alexandre Takacs a.takacs at augicom.ch
Wed Oct 11 12:56:23 EDT 2017

Previous message: [MlMt] DKIM validation at client level
Next message: [MlMt] DKIM validation at client level
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for your insight.

>>> The value of DKIM validation at any point is dubious, given that 
>>> anyone can DKIM-sign their messages for the cost of a domain and 
>>> some DNS and MTA config clues.
>>
>> Sorry I am not sure to understand / agree on this one. I personally 
>> find value in being able to verify that the mail I am getting from 
>> domain "x" is not spoofed.
>
> That's really only true if you know the value of mail which is 
> actually from domain "x".

Not sure to understand that one ? Care to elaborate ?

One use case I actually have: I get a message from my law firm - 
obviously it might (and is) usually cryptographically (s/mime) signed 
but it would be interesting to be able to check that the server which 
sent it did in fact DKIM sign it.

> In security terms, DKIM is pure authentication without any intrinsic 
> authorization value. If you don't add your own careful authorization 
> layer, you're at risk of being fooled by domains like 'paypa1.com.' 
> There is also the more arcane (but real) problem of DKIM replay 
> attacks, (explained in depth by Steve Atkins: 
> https://wordtothewise.com/2014/05/dkim-replay-attacks/) which makes 
> the authentication less meaningful than one would hope.

That's an interesting point - thanks for the pointer.

>> And it would be nice, if not ideal, to be able to do so client side 
>> (i.e., in MailMate). Do you have any specifics to substantiate "DKIM 
>> validation after final delivery and IMAP retrieval is potentially 
>> problematic" ? I'd be interested to learn about it.
>
> DKIM relies on DNS records which are ephemeral by their nature. One 
> mitigation of DKIM replay attacks is the use of short-lived domain 
> keys, so the signature might have been valid when transported via SMTP 
> but not 5 minutes later when you try to validate it. There are also 
> some local delivery mechanisms that make modifications to message 
> headers or bodies that will invalidate the signature.

Some food for thought here indeed - but all that assumes that one is 
actually able to check the sig in the first place...

A. Takacs

Previous message: [MlMt] DKIM validation at client level
Next message: [MlMt] DKIM validation at client level
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list