On 3/29/10 12:06 PM, Tarig Yassin wrote:
Hi Jul
Dkim, SPF, and Domainkey are sender authentication methods for email system.
Which use Public Key Cryptography.
DKIM and Domainkeys use public key cryptography to authenticate
signature sources used for signing at least email From headers and
signature headers.
However, SPF uses chained IP address lists to establish source
authorization, but not authentication. Since outbound MTAs might handle
multiple domains, it would be incorrect to assume authorization implies
authentication and to expect email domains have been previously verified
by the source. For example, Sender-ID might use the same SPF record,
but this expects Purported Responsible Addresses (PRA) rather than Mail
Froms have been verified. On the other hand, SPF was designed to ignore
the PRA, and neither section 2.2 or 2.4 of RFC4408 imposes prior
verification demands on Mail From or HELO, which would conflict with
normal forwarding. :^(
Both DKIM and Domainkey share the same domain label of
"<domain-holding-key>._domainkey.<admin-domain>", whereas the first SPF
record in a chain would be accessed without any prefix label. While bad
actors could use either scheme to obscure encoded DNS tunnel traffic,
ascertaining abnormal use would be especially difficult whenever the
first SPF records in a chain includes local-part encoding for subsequent
SPF record prefixes. :^(
-Doug
