On 18/05/24 02:12, Taavi Eomäe via mailop wrote:
Hi!
As part of coordinated disclosure, I am sharing it here as well. In
short, using the approach described below, attackers can replace the
entire contents of a letter, in a way the letters still pass DKIM’s
cryptographic checks. This also means these forged letters can be easily
replayed to reach their victims. This subverts many of the expectations
operators have about DKIM signatures, DMARC and BIMI.
Although some of these dangers have been known for a while (some parts
are even described in the RFC itself), things like the threat landscape,
our approach and the extent to which this can be abused have changed. In
our opinion previously suggested and (rarely) implemented mitigations do
not reduce these risks sufficiently.
We hope that with some cooperation from mail operators improved defense
measures can be implemented to strengthen DKIM for everyone.
A longer description with images is available here:
https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/
Hi,
Sorry for the resurrection of an old thread.
I recently set up DKIM, partly using https://wiki.debian.org/opendkim as
my reference. That seems to suggest using l=, so that's what I did ...
If it's not good advice, perhaps someone more familiar with the subject
than I am could update the Debian wiki?
Cheers,
Richard
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
