Re: Microsoft missing public DNS TXT entry for DKIM records (msn.com)

[Michael Thomas <mike () mtcc com>]

On 4/4/24 12:43 AM, Jay Acuna wrote:
> On Thu, Apr 4, 2024 at 1:23 AM Adam Brenner via NANOG <nanog () nanog org> wrote:
> ..
> > It seems to me that if msn.com is going to include DKIM headers in their
> > outgoing email, they should also publish their DKIM public key. If they
> > are not going to publish their DKIM public key, then they should not
> > include DKIM headers in their outgoing email.
> Microsoft can still sign the message, Even if the signature cannot be verified
> because they have not yet published the Public Key, for whatever reason.
> That is a partial/incomplete implementation of DKIM then.

There is one potential reason a site might want to do this which is to 
essentially invalidate signatures from a non-repudiation standpoint. 
Simply unpublishing the key while not 100% foolproof is essentially 
saying "we don't take responsibility for mail signed with this key 
anymore" -- sort of like the expirey tag in the header but with 
attitude. The entire kerfuffle about Her Emails (ie Hillary's email 
server) was in part about the fact that the mail on it could still be 
verified and thus not denied. After, there were calls for providers to 
publish their private keys on a regular basis but that went nowhere that 
I've heard of. That's probably not what's going on here -- maybe they 
just botched a key rollover -- but it still amusing to me that we got 
non-repudiation along for the ride [*].

Mike

[*] while DKIM only speaks at the domain level and not an individual 
account, if providers always require submission auth before signing that 
seems pretty airtight to me