Educause Security Discussion mailing list archives

Re: Seeking insight into DKIM implementation

From: Ken Connelly <ken.connelly () UNI EDU>
Date: Thu, 18 Jun 2015 08:48:27 -0500

The intent of DKIM (and its cousin, SPF) is to prevent blatantly forged
email messages from receipt.  It's up to the recipient system to utilize
those checks (or not).  Neither, however, have any effect on mail sent
from phished users who have given away their authentication credentials
to the dark side.  Gmail would like you to believe that implementing
DKIM is the grand solution to spam, but in reality, it's only a single
stepping stone.

- ken

On 6/18/15 7:27 AM, Brett Wasley wrote:

Greetings from Gallaudet University,

We are using Gmail and due to the number of phishing attacks that have
occurred recently we are discussing implementing DKIM as suggested by
Google.

One of the biggest "cons" of DKIM as I understand it is it has
prevented users from sending messages on behalf of their address from
sites outside of Gmail. In other words DKIM is an added layer of
passive authentication, validating the sending/relaying mail server is
approved.  If this sending-server reputation check fails, the message
can be tagged as spam and/or deleted and/or not accepted.  (ex. A
message from a gallaudet.edu <http://gallaudet.edu> address must be
from a mail server that is an authorized relay.)

Those of you that have DKIM implemented is this a problem and if so,
how did you mitigate it? Are there better options for Gmail users
(other than turning on 2-factor authentication)?

Many thanks in advance for your replies.

-- 
Brett Wasley, CISSP
Information Security Officer, Gallaudet Technology Services
Gallaudet University
800 Florida Ave., NE
Washington, D.C. 20002-3695
202.651.5203 (voice) 410.507.2595
brett.wasley () gallaudet edu <mailto:brett.wasley () galluadet edu>


-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!

Current thread:

Seeking insight into DKIM implementation Brett Wasley (Jun 18)
- Re: Seeking insight into DKIM implementation Ken Connelly (Jun 18)
  - Re: Seeking insight into DKIM implementation Brett Wasley (Jun 18)
    - Re: Seeking insight into DKIM implementation Nick Semenkovich (Jun 18)