Alessandro Vesely writes: > On Sun 20/Jul/2025 16:43:35 +0200 Tero Kivinen wrote: > > > > If you count in emails inside big companies, it seems that every > > single email is CC'ed to dozen of people [...] > > > > I am not sure if that kind of emails are intended to use DKIM2, but if > > so that kind of traffic might not be vanishingly small, and if those > > emails are delivered in one transaction it saves lots of resources. > > > DKIM signatures were never intended to provide an authentication > seal to be stored with the message. So, what would be the point of > signing internal messages? I would argue that if, based on the way > mail flow works in a given ADMD, the system is confident about the > origin of a message, then there's no need to verify the signature, > and therefore no need to sign it. An auth=pass might be all you want > for Authentication-Results:.
So you are saying there cannot be phishing attacks from internal network? Having DKIM signature on the internal emails protects against phishing attacks which do not come through official company servers. Quite often company servers do allow emails from any source, as there are so many other "automated systems", "testing equipment" etc which need to send emails to developers etc, and trying to get all those to use autheticated sending is just too difficult for those purposes. DKIM will offer similar protection there than what it does in global internet, i.e., proof that email was sent through official server and was sent using authenticated connection. Those emails which are sent without authentication do not get DKIM signing, and as companies quite often have multiple mail servers for different departments authenticating emails between different departments is also beneficial. > A messages intended for a mix of internal and external recipients can be > securely delivered to internal recipients with the signature, or one of the > signatures, prepared for external destinations. You seem to assume that there is single mail infrastructure in the company. Quite often there are multiple systems especially when the company has aquired some other companies etc, and there might not be that much of way to "securely deliver" emails to different parts of the company. Sending phishing attacks from internal network would be good way to try to expand the breach someone already has inside the company. If system is only allowed to do DKIM signing when someone uses the official mail servers and properly authenticates to that server, and the server validates that user is not allowed to send emails on behalf of anybody else, that will provide some protection. -- [email protected] _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
