Educause Security Discussion mailing list archives
Re: Ironport DKIM
From: Walter Petruska <wpetruska () USFCA EDU>
Date: Fri, 2 Apr 2010 09:48:28 -0700
And has anyone set up DKIM using Google Mail hosted mail solution for .edu? Ease? Success? Failures? On 4/1/10, Scott Beardsley <scott () cse ucdavis edu> wrote:
DKIM isn't supposed to work with forwarding servers, and it isn't even=20 guaranteed to work across MTA hops.Not necessarily true, read this[1]. These issues are all still being debated but in essence forwarders could pass on the "Authentication-Results" header to the next hop. That would allow a sort of chained trust although only the last hop would be verifiable. This means that the final recipient server would have to trust the (hopefully signed) message headers from the forwarding server. Not quite the same thing but still useful. Of course, if the message was not changed and only the "Sender" header was modified (ala SRS[2]) this might be less of an issue.I think that this begs the question: for what purpose are you using=20 DKIM, and have you found its implementation to be worth the effort?DKIM allows organizations to take ownership of their messages. It allows other organizations to verify that the message is intact and came from the domain it claims to come from. Since it uses DNS to publish public keys it doesn't make much sense without DNSSEC. DNSSEC is good for many other reasons and it's implementation is a bit trickier than DKIM. Organizations that run SMTP servers should at least implement DKIM validation so they can verify incoming mail from servers that have it fully implemented. Why do we use it? Mostly because we want to stand behind the messages we send. Hopefully that will make us less likely to get blacklisted by random ISPs and allow our messages to get through to other legit mail servers. IMO, just like running open relays, the question with DKIM is not if, but when. Is the implementation worth it? Yes. Once you understand the concepts it is pretty easy to add. Scott ------------ [1] http://www.circleid.com/posts/dkim_for_discussion_lists/ [2] http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
Current thread:
- Ironport DKIM song (Apr 01)
- <Possible follow-ups>
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Dexter Caldwell (Apr 01)
- Re: Ironport DKIM Georgia Killcrece (Apr 01)
- Re: Ironport DKIM Valdis Kletnieks (Apr 01)
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Jesse Thompson (Apr 01)
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Walter Petruska (Apr 02)