DKIM is not solving the wrong problem, DKIM is solving an underlying problem.
The suggestions to use reputation, accounts etc are still fine and good, but step 0 is to check whether that guy on the other side is who he says he is - and that's where DKIM comes in.
Yeah, but it doesn't check whether that guy on the other side is who he says he is, it only checks whether that domain on the other side is what it appears to be (registered via ICANN-approved registrar to "that guy"). DKIM relies on DNS. It checks on domains, not people. You have no reliable assurance from DKIM of who is actually controlling that domain. It might not be "that guy" but someone else. DNS is not without its vulnerablities (including social engineering). Any security mechanism based on DNS is only as "secure" as DNS, which isn't very.
I mean you're technically not wrong, but how do you confirm ownership of an identity?
At some point you have to "trust a system". Block Chain, Social Security ID, Drivers License, Passport, even DNS are all susceptible to some form of attack vector.
I could do a DNA test to verify you, provided I did one before.
> is only as "secure" as DNS, which isn't very
I'd argue DNS itself is quite secure. It has lots of issues, but it's so widely used those issues are known and mitigated for. DNS as a system receives an insane amount of attacks. There's just too much money involved for people not to pay attention for attackers and defenders.
I will agree that your DNS isn't secure. It's analogous to saying your Gmail isn't secure, but Gmail itself is just fine.
Which the EU is debating making an equivalent European wide version mandatory, and requiring websites/private companies adopt and use it (via SAML; instead of username/passwords or things like OAuth/OpenID Connect). In this vision, any online interaction that would require an identity would minimally be required to accept your European identity, and may be prohibited (via GDPR or DSA) from offering other forms of sign-in.
Explicitly part of the goal is either a pan-European ID card or requiring every Member State to adopt one. Currently, MS aren’t required to. When the UK was in the EU, the idea of a digital ID that could be used by the government to track all of your activities online was... not popular. However, despite Brexit, the idea is being reintroduced, this time to “fight coronavirus”. https://www.bbc.com/news/uk-politics-54010432
Technically the institution owning the domain could forge the identity of one of its members. In practice, the sender having the password and Duo push for an institutional AD or G Suite account is a pretty good assurance.
Yes but then again (i consider this their trolling of diy) google forces you to set up reverse resolve regardless of dkim. They effectively lock out (or should I say, spam out) anyone that doesnt have ISP preparing to do that and it complicates migration to another ISP. And prevents you running multiple domain mail server on single ip. It is true, that reverse resolve generally in EU isnt such a problem, but it does make issues for USA users.
You don't need to be an ISP to change reverse DNS mappings, you can ask your ISP (or do this via UI provided by the ISP). Most cloud providers allows to configure reverse name, the same for DCs which offer servers for rent or provide co-location. Broadband ISPs offer this for business customers (unless they face no competition and get away with being customer unfriendly). Though it is not a good idea to host a mail server on a broadband connections - they usually blacklisted because of history of spam.
> And prevents you running multiple domain mail server on single ip
No it is not. You have to have a pair of mappings: IP -> hostname -> IP, but practically nobody checks that domain of hostname matches domains used in emails. Most mail providers send mail with multiple domains in mail form using shared pool of servers which do not use customer's domains in their hostnames.
First part is repeating myself (Where did I say you need to be isp?!! Injecting something false and then arguing about it...), second part google does check reverse dns.
I am running self hosted mail server on broadband static ip for close to 20 years and until the reverse resolve was done I was categorically thrown into spam on gmail. DKIM or not. Once the reverse DSN was set it stopped (after a while)...
Well just google it you have enough of showcases there.
I don’t know about signing, but my email domain (my surname.net) is now 30 or so years old. It gets^w got a lot of spam...
A decade or so ago, I set up a catch-all account so <anything>@mydomain.net is redirected to an isp-account that I have as one of my email identities, In this case I used <account>@mac.com. It’s basically just a front-line imap repository, stuff I want to keep will move off it.
Whenever I need to supply an email to an online site, I use <company name>@mydomain.net. The only time this hasn’t worked is with Samsung, who won’t let you sign up as ‘samsung@...’, generally it’s ok though.
There is another rule on the mail server, send-to-trash. This accepts all email and just bins it. I can move <anything>@mydomain to this rule at the click of a button in a second or two on with a web-interface. I do this for:
- unsolicited email sent to a random “name” at my address, this is actually fairly rare now that most of the obvious ones are gone
- when the mail content doesn’t match the <company name> part, ie: where the address has been sold to an email-list.
- when I want to expire the email address. Sometimes this is temporary, and I have an address I want to keep, but it’s current;y being spammed. Making the server send reject messages For a while usually helps. Usually.
Using this, I’ve managed to keep the same email domain since college some 30 years ago actually useable and useful. YMMV :)
I do this for about 10 years now too! It's very convenient to "expire" the email addresses that are sold off.
Another thing I do is to use a spam@domain.com email when an annoying site tries to force me to login. All emails to this spam email address is sent to trash with a filtering rule, and I manually open my trash to click the verification link.
With catch all emails, you need a string "... -all" SPF to make others reject bounce spam messages.
> It's possible that email clients could learn some lessons from this, for example by splitting your inbox into 'people and places you've interacted with before' and 'new contacts from strange people'.
That's how I have Thunderbird set up. I have a rule that puts mail from anyone not in my contacts list into a folder called Unrecognized Sender.
I know its currently more suitable for an organization than individuals, but, I think with a bit of glue it would work fantastically at internet-scale.
ISRG (the charity behind Let's Encrypt) has been pretty clear in the past that they aren't interested in doing that. Do you have some particular reason beyond wishful thinking to believe that will change?
Perhaps you can persuade S/MIME client implementations that your certificates are universally trustworthy, and then you've got the makings of a PKI for S/MIME. But I would not hold my breath.
You're the one who wants this, so it's you that will need to set up a Certificate Authority and then get it trusted everywhere for S/MIME. I genuinely wish you good luck with that.
Ok. How do they verify your identity? LetsEncrypt generally does DV (domain verified) certs only. I guess the equivalent of that would be verifying you control the email address. At that point, what is the practical benefit of S/MIME over DKIM (ignoring encryption)?
efail can be fixed, see the link you posted, section "mitigations". Also note that (1) disabling HTML emails fixes it (2) not all clients are affected.
There are two (well, lots more than two) different problems with email. DKMS solves spoofing. That isn't a more or less "wrong" problem than spam. The latter just needs a different solution (and Google etc. have become pretty good at it).
The author obviously has no idea why email signing are there. And what he was proposing, a authorizing system, or white-list system has been there for quite a while but why it is not enabled by default? It creates more problems then the problems it resolves. Just imagine how it going to work if you need to send a legit email to someone for the first time. If you are going to need authorization to do it, How do you get that required authorization? By calling the recipient or send them a letter so that they can add you to the list? Then what the point to send email in the first place?
It’s a whitelist of senders as far as I understand, not a spam filter. That results in spam being ignored but for other reasons that what a spam filter would do
Another problem with email is that it's your responsibility to keep your contacts list up-to-date when people change their email address. By comparison Facebook doesn't have that problem - for example organising a high school reunion is much more likely to succeed if you contact people via Facebook than via email. I really hope email (or its successor) can copy more of the benefits that currently draw users into those walled gardens.
> By comparison Facebook doesn't have that problem - for example organising a high school reunion is much more likely to succeed if you contact people via Facebook than via email.
I see it the opposite way. People regularly drop off of social networks in favor of new ones or none at all.
I know people who have had the same email address since the 90's.
Facebook's strategy to achieve this is to disallow people from having two different accounts. Things are different on e.g. Twitter where it's common to have two accounts for different usage (like email).
Do you suggest disallowing people from having two different email addresses?
I've been using SpamArrest for about ten years, and I'm very happy with it.
I always whitelist in advance any person or domain I expect to hear from. SpamArrest gives me a chance to hear from legitimate strangers. If a sender refuses to reply to the challenge email, then what (s)he had to say couldn't be that important.
DKIM works well for what it does. Assuming that what the author describes as “revocable authorization” is a desirable feature (I don’t really get why a user wouldn’t just filter them with a block list or white list approach, but whatever) - how is this possible without a centralised provider?
If it’s only possible with a centralised entity like Twitter, it’s not going to scale to last centuries like email will.
because current filter tools are not specific enough or easy enough to use for that purpose. i basically only got the option to mark something as spam and let the algorithm figure out why.
i'd like to sort email by these categories:
signed emails with a known/whitelisted key.
signed emails with a known/blacklisted key
signed emails with an unknown key.
unsigned emails with a known/whitelisted email address
unsigned emails with a known/blacklisted email address
unsigned emails with an unknown address.
and finally emails with obviously fake addresses.
whitelisted keys go to my inbox.
those will be spam free.
blacklisted keys are blocked/bounced/sent to spam.
new keys go into a new contacts folder with a spam rating based on content. then i walk through that folder and accept or block keys.
for unsigned emails the same is done based on the address.
whitelisted addresses get a spam rating in a second inbox.
blacklisted addresses get blocked and unknown addresses get checked manually.
unknown keys or addresses can further be separated into: received only one email from this address or multiple emails.
when i reply to an email the key or address gets whitelisted automatically.
All you have to do is to ignore email that is signed by entities you don't know and/or don't like. It is as simple as that. The mystery is why people accept anonymous email at all.
If someone were going to register a domain to use for e-mail, what would you recommend? Does the name chosen or TLD make a difference or is IP address the sole determinant of "reputation"? I imagine the situation is like with search, the filtering algorithms used are kept secret, probably because they are biased toward protecting or improving the company's revenues.
I run a web service with email validation, and a nontrivial number of users' validation emails bounce with a request to click some link to pay some money in order to email the user. Sometimes I get the same responding to support requests from users.
I suspect these same users wonder why such a large fraction of their online interactions/signups don't work...
Interestingly, this is where the proof-of-work idea for Bitcoin likely came from (hashcash). Basically prove you've done X amount of CPU work in order to send me an e-mail.
The suggestions to use reputation, accounts etc are still fine and good, but step 0 is to check whether that guy on the other side is who he says he is - and that's where DKIM comes in.