Educause Security Discussion mailing list archives

Re: Ironport DKIM

From: Walter Petruska <wpetruska () USFCA EDU>
Date: Fri, 2 Apr 2010 09:48:28 -0700

And has anyone set up DKIM using Google Mail hosted mail solution for .edu?

Ease? Success? Failures?

On 4/1/10, Scott Beardsley <scott () cse ucdavis edu> wrote:

DKIM isn't supposed to work with forwarding servers, and it isn't even=20
guaranteed to work across MTA hops.


Not necessarily true, read this[1]. These issues are all still being
debated but in essence forwarders could pass on the
"Authentication-Results" header to the next hop. That would allow a sort
of chained trust although only the last hop would be verifiable. This
means that the final recipient server would have to trust the (hopefully
signed) message headers from the forwarding server. Not quite the same
thing but still useful.

Of course, if the message was not changed and only the "Sender" header
was modified (ala SRS[2]) this might be less of an issue.

I think that this begs the question: for what purpose are you using=20
DKIM, and have you found its implementation to be worth the effort?


DKIM allows organizations to take ownership of their messages. It allows
other organizations to verify that the message is intact and came from
the domain it claims to come from. Since it uses DNS to publish public
keys it doesn't make much sense without DNSSEC. DNSSEC is good for many
other reasons and it's implementation is a bit trickier than DKIM.
Organizations that run SMTP servers should at least implement DKIM
validation so they can verify incoming mail from servers that have it
fully implemented.

Why do we use it? Mostly because we want to stand behind the messages we
send. Hopefully that will make us less likely to get blacklisted by
random ISPs and allow our messages to get through to other legit mail
servers. IMO, just like running open relays, the question with DKIM is
not if, but when.

Is the implementation worth it? Yes. Once you understand the concepts it
is pretty easy to add.

Scott
------------
[1] http://www.circleid.com/posts/dkim_for_discussion_lists/
[2] http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

Current thread:

Ironport DKIM song (Apr 01)
- <Possible follow-ups>
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Dexter Caldwell (Apr 01)
- Re: Ironport DKIM Georgia Killcrece (Apr 01)
- Re: Ironport DKIM Valdis Kletnieks (Apr 01)
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Jesse Thompson (Apr 01)
- Re: Ironport DKIM Scott Beardsley (Apr 01)
- Re: Ironport DKIM Walter Petruska (Apr 02)