Microsoft missing public DNS TXT entry for DKIM records (msn.com)
Michael Thomas
mike at mtcc.com
Thu Apr 4 19:05:37 UTC 2024
On 4/4/24 12:43 AM, Jay Acuna wrote:
> On Thu, Apr 4, 2024 at 1:23 AM Adam Brenner via NANOG <nanog at nanog.org> wrote:
> ..
>> It seems to me that if msn.com is going to include DKIM headers in their
>> outgoing email, they should also publish their DKIM public key. If they
>> are not going to publish their DKIM public key, then they should not
>> include DKIM headers in their outgoing email.
> Microsoft can still sign the message, Even if the signature cannot be verified
> because they have not yet published the Public Key, for whatever reason.
> That is a partial/incomplete implementation of DKIM then.
There is one potential reason a site might want to do this which is to
essentially invalidate signatures from a non-repudiation standpoint.
Simply unpublishing the key while not 100% foolproof is essentially
saying "we don't take responsibility for mail signed with this key
anymore" -- sort of like the expirey tag in the header but with
attitude. The entire kerfuffle about Her Emails (ie Hillary's email
server) was in part about the fact that the mail on it could still be
verified and thus not denied. After, there were calls for providers to
publish their private keys on a regular basis but that went nowhere that
I've heard of. That's probably not what's going on here -- maybe they
just botched a key rollover -- but it still amusing to me that we got
non-repudiation along for the ride [*].
Mike
[*] while DKIM only speaks at the domain level and not an individual
account, if providers always require submission auth before signing that
seems pretty airtight to me
More information about the NANOG
mailing list