On Wed 23/Jul/2025 20:40:14 +0200 Tero Kivinen wrote:
Alessandro Vesely writes:
On Sun 20/Jul/2025 16:43:35 +0200 Tero Kivinen wrote:
If you count in emails inside big companies, it seems that every
single email is CC'ed to dozen of people [...]
I am not sure if that kind of emails are intended to use DKIM2, but if
so that kind of traffic might not be vanishingly small, and if those
emails are delivered in one transaction it saves lots of resources.
DKIM signatures were never intended to provide an authentication
seal to be stored with the message. So, what would be the point of
signing internal messages? I would argue that if, based on the way
mail flow works in a given ADMD, the system is confident about the
origin of a message, then there's no need to verify the signature,
and therefore no need to sign it. An auth=pass might be all you want
for Authentication-Results:.
So you are saying there cannot be phishing attacks from internal
network? Having DKIM signature on the internal emails protects against
phishing attacks which do not come through official company servers.
That's up to an accurate definition of internal. A message that doesn't
originate on a company server has to be defined as external.
I'm not sure if the savings are worth it. In some cases, such as Bcc: at the
MSA, the savings come from simplifying the code.
The question is whether it's worth mentioning this in the spec. Obviously, no
one is forced to use DKIM, security bigotry aside. Analyzing the system to see
where DKIM is effective should still be a good idea. So I'd appreciate some
suggestions for developers on interface options that might solve problems.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
