Dnia 2.10.2025 o godz. 16:58:57 Steffen Nurpmeso via Postfix-users pisze: > I can only concur. And in the future DKIM cryptography could mean > more as it does today even, when message content can be verified > over all transformations along the message path, back to the > original sender: then the value of that key is absolut.
If you want to verify message back to the original sender, S/MIME is the way to go (or PGP/MIME, but you then have to somehow obtain the sender's public key in a trusted way - keyservers etc.). DKIM will never verify that the person who sent the message is really the person who he/she claims to be, as DKIM keys are tied to a domain, not to a particular user. It also won't verify that the message hasn't been changed on the sending server after being already submitted by the sender, but before being DKIM signed. By the way, I already receive e-mails eg. from my bank or from my phone provider that are S/MIME signed, email client verifies them automatically when they are displayed and displays the prominent message above the email content that the signature is correct (or incorrect, if it happens to be the case - it happened a few times when they didn't renew the certificate on time). That seems to be already widely implemented and work pretty well. Why reinvent the wheel and use DKIM for anything else that it is meant for, ie. to verify the authenticity of the domain the message claims to be from (and this only)? In short: if you want the capabilities provided by E2E authentication, use E2E authentication. Not MitM-2-MitM authentication :) (as both sending and receiving servers can be considered MitM from the security point of view). -- Regards, Jaroslaw Rafa [email protected] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
