isotope-mail icon indicating copy to clipboard operation
isotope-mail copied to clipboard

Published 20 hours ago verified publisher icon manusa

Security: SPF&DKIM

Open shift-reality opened this issue 6 years ago • 3 comments

Need validate SPF&DKIM and show result within message sent "From" -if successfully validated = green text email -danger = RED email with warning This feature Allow prevent "Fake" mails from another servers...

shift-reality avatar Mar 19 '19 18:03 shift-reality

not sure this belongs into an email client, are those checks not usually done server-side? at least I have set up my own rules on my incoming email server to check dmarc so what would be the point to show this info in the client?

ovizii avatar Aug 29 '19 09:08 ovizii

Security check should be performed by the SMTP server or any server-side filter run when the e-mail is initially processed by the receiving MTA.

An 'Authentication-Results' header should be added to the message with the results of any authentication filtering performed to the message (https://tools.ietf.org/html/rfc7001).

Generally, it is assumed that the work of applying message authentication schemes takes place at a border MTA or a delivery MTA. This specification is written with that assumption in mind. However, there are some sites at which the entire mail infrastructure consists of a single host.

The security checks could additionally be performed by the e-mail client, but not only this is redundant but wrong. DKIM/SPF or any other DNS TXT records are subject to be changed by the sender's e-mail server, so this signatures my become outdated over time.

What can be done in the e-mail client is give a visual hint to the user that the Authentication-Results header is present and that all security filters passed (dkim=pass, spf=pass....)

Probably a new Issue will be open referencing this one with an adequate acceptance criteria and description to implement this "visual security feedback" for the user.

manusa avatar Sep 02 '19 15:09 manusa

What can be done in the e-mail client is give a visual hint to the user that the Authentication-Results header is present and that all security filters passed (dkim=pass, spf=pass....)

I don't know how email servers do this job, but looks fine for me. For example, Yandex Mail client (web) show amber or green lock with email address, for indicate security trouble

shift-reality avatar Sep 25 '19 08:09 shift-reality