search

manusa / isotope-mail

Isotope Mail Client
https://blog.marcnuri.com/isotope-mail-client-introduction/
Apache License 2.0
234 stars 43 forks source link

Security: SPF&DKIM #226

Open shift-reality opened 5 years ago

shift-reality commented 5 years ago

Need validate SPF&DKIM and show result within message sent "From" -if successfully validated = green text email -danger = RED email with warning This feature Allow prevent "Fake" mails from another servers...

ovizii commented 5 years ago

not sure this belongs into an email client, are those checks not usually done server-side? at least I have set up my own rules on my incoming email server to check dmarc so what would be the point to show this info in the client?

manusa commented 5 years ago

Security check should be performed by the SMTP server or any server-side filter run when the e-mail is initially processed by the receiving MTA.

An 'Authentication-Results' header should be added to the message with the results of any authentication filtering performed to the message (https://tools.ietf.org/html/rfc7001).

Generally, it is assumed that the work of applying message authentication schemes takes place at a border MTA or a delivery MTA. This specification is written with that assumption in mind. However, there are some sites at which the entire mail infrastructure consists of a single host.

The security checks could additionally be performed by the e-mail client, but not only this is redundant but wrong. DKIM/SPF or any other DNS TXT records are subject to be changed by the sender's e-mail server, so this signatures my become outdated over time.

What can be done in the e-mail client is give a visual hint to the user that the Authentication-Results header is present and that all security filters passed (dkim=pass, spf=pass....)

Probably a new Issue will be open referencing this one with an adequate acceptance criteria and description to implement this "visual security feedback" for the user.

shift-reality commented 4 years ago

What can be done in the e-mail client is give a visual hint to the user that the Authentication-Results header is present and that all security filters passed (dkim=pass, spf=pass....)

I don't know how email servers do this job, but looks fine for me. For example, Yandex Mail client (web) show amber or green lock with email address, for indicate security trouble