search

trusteddomainproject / OpenDKIM

Other
97 stars 52 forks source link

dkim=pass unprotected #152

Closed ztjuh closed 2 years ago

ztjuh commented 2 years ago

What does the unprotected part in the header mean? Something to fix on my side?

mail-tester.com; dkim=pass (2048-bit key; unprotected) ...

thegushi commented 2 years ago

No dnssec.

-Dan

On May 6, 2022, at 10:06 AM, Alex @.***> wrote:

What does the unprotected part in the header mean?

mail-tester.com; dkim=pass (2048-bit key; unprotected) ...

— Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/152, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWKKDAEMVID5U7C3GKIL3VIVGQNANCNFSM5VIXIAXA. You are receiving this because you are subscribed to this thread.

ztjuh commented 2 years ago

Ahh, my domain does have dnssec though... Is this from the receivers end or the senders end?

thegushi commented 2 years ago

Either. If you have a dnssec-signed domainkey record, but the person validating your mail does not have a dnssec-aware resolver, they will see this. If they have a dnssec-aware resolver, but you have not signed your zone, you will also see this.

It’s mostly harmless, but the problem it solves is:

“Wait, if we’re using cryptography to validate this stuff, shouldn’t we also have a secure channel to validate we’re not also getting spoofed keys?”

And the answer is “well, yes, but the complexity of the attack required to spoof DNS records just to send a forged email is…extreme”.

-Dan (Who’s been dnssec-signing his zones since before the root was signed)

On May 6, 2022, at 10:24 AM, Alex @.***> wrote:

Ahh, my domain does have dnssec though... Is this from the receivers end or the senders end?

— Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/152#issuecomment-1119834044, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWKKGOG6BGGCKFLQP6UYDVIVIUJANCNFSM5VIXIAXA. You are receiving this because you commented.

ztjuh commented 2 years ago

Okay, it's not that big of a issue as I understand, so I send a e-mail to gmail and it didn't show the unprotected, so it must be mail-tester.com which doesn't support dnssec.

Thank you for your explanation!