DNS TXT field usage ?

Douglas Otis dotis at mail-abuse.org
Mon Mar 29 22:19:36 UTC 2010


On 3/29/10 12:06 PM, Tarig Yassin wrote:
> Hi Jul
>
>
> Dkim, SPF, and Domainkey are sender authentication methods for email system. Which use Public Key Cryptography.
>    
DKIM and Domainkeys use public key cryptography to authenticate 
signature sources used for signing at least email From headers and 
signature headers.

However,  SPF uses chained IP address lists to establish source 
authorization, but not authentication.  Since outbound MTAs might handle 
multiple domains, it would be incorrect to assume authorization implies 
authentication and to expect email domains have been previously verified 
by the source.  For example, Sender-ID might use the same SPF record, 
but this expects Purported Responsible Addresses (PRA) rather than Mail 
Froms have been verified.  On the other hand, SPF was designed to ignore 
the PRA, and neither section 2.2 or 2.4 of RFC4408 imposes prior 
verification demands on Mail From or HELO, which would conflict with 
normal forwarding. :^(

Both DKIM and Domainkey share the same domain label of 
"<domain-holding-key>._domainkey.<admin-domain>", whereas the first SPF 
record in a chain would be accessed without any prefix label.  While bad 
actors could use either scheme to obscure encoded DNS tunnel traffic, 
ascertaining abnormal use would be especially difficult whenever the 
first SPF records in a chain includes local-part encoding for subsequent 
SPF record prefixes. :^(

-Doug




More information about the NANOG mailing list