On 5/3/19 11:30 AM, Grant Taylor wrote: > On 5/3/19 9:48 AM, Bill Cole wrote: >> An entirely different mechanism (DKIM) exists to verify From headers. > > DKIM is only positive confirmation that the (signed) headers (and body > content) has not changed since the signature was applied. >
Not completely true as long as domain/DNS control is not compromised. > DKIM does nothing to verify the authenticity of what was signed (at the > time it was signed). > Technically this is correct but the fact that it's signed and matches the author's domain in the From: header provides authenticity of the origin of the email. In SA rules this would be DKIM_VALID_AU hits. For example, Microsoft signs customer emails using the tenant's subdomain under onmicrosoft.com. All this confirms is the email came from the Office 365 platform with the original content unmodified. Since it doesn't align with the From: domain, DKIM really means nothing from a forged/spoofed (negative) perspective. DKIM can prove the positive that it was not forged/spoofed when it aligns and hits DKIM_VALID_AU. > ARC (not DMARC) is a similar signature of what comes in to detect > modification down stream. > I am not completely clear on ARC but I though it's objective is to provide a "chain of custody" as email goes through mail servers so receiving mail servers can authenticate the origin. I was thinking it's something like a combination of SPF (validation) and DKIM (authentication). -- David Jones
